Creating GSSAPI initiate credential using keytab entry

Greg Hudson ghudson at MIT.EDU
Mon Mar 8 12:11:27 EST 2010

On Mon, 2010-03-08 at 05:00 -0500, Richard Evans wrote:
> 1. Use a KRB5 API call to get the credentials for the relevant keytab
> entry
> 2. Store them in a temporary cache file (I don't want to mess with the
> cache for the current user)
> 3. Set the KRB5CCNAME environment variable to point at this location
> 4. Call gss_acquire_cred to get the initiator credentials
> 5. Restore the previous value of KRB5CCNAME, if any
> 6. Delete the temporary cache file

I don't have example code on hand but I can provide some guidance on
what APIs to use.

* Start by creating a krb5 context with krb5_init_context().  Clean this
up later with krb5_free_context().

* Create a ccache with krb5_cc_new_unique().  Pass "MEMORY" as the type
parameter and NULL as the hint.  Clean this up later with

* Open your keytab with krb5_kt_default() or krb5_kt_resolve().  Clean
this up later with krb5_kt_close().

* Acquire the credential with krb5_get_init_creds_keytab().  If you need
to supply any options beyond the arguments to that function, create the
options structure with krb5_get_init_creds_opt_alloc(), other
krb5_get_init_creds_opt_* calls to set the options, and clean it up
later with krb5_get_init_creds_opt_free().  Clean up the resulting
credential later with krb5_free_creds().

* Store the returned credential into the memory ccache with

* Use gss_krb5_ccache_name() to get GSSAPI to use your memory ccache.
(Call krb5_cc_get_name() to get the ccache name.)  This function sets a
thread-specific variable.

Now you should be ready to acquire credentials.

More information about the krbdev mailing list