Creating GSSAPI initiate credential using keytab entry
Greg Hudson
ghudson at MIT.EDU
Mon Mar 8 12:11:27 EST 2010
On Mon, 2010-03-08 at 05:00 -0500, Richard Evans wrote:
> 1. Use a KRB5 API call to get the credentials for the relevant keytab
> entry
> 2. Store them in a temporary cache file (I don't want to mess with the
> cache for the current user)
> 3. Set the KRB5CCNAME environment variable to point at this location
> 4. Call gss_acquire_cred to get the initiator credentials
> 5. Restore the previous value of KRB5CCNAME, if any
> 6. Delete the temporary cache file
I don't have example code on hand but I can provide some guidance on
what APIs to use.
* Start by creating a krb5 context with krb5_init_context(). Clean this
up later with krb5_free_context().
* Create a ccache with krb5_cc_new_unique(). Pass "MEMORY" as the type
parameter and NULL as the hint. Clean this up later with
krb5_cc_destroy().
* Open your keytab with krb5_kt_default() or krb5_kt_resolve(). Clean
this up later with krb5_kt_close().
* Acquire the credential with krb5_get_init_creds_keytab(). If you need
to supply any options beyond the arguments to that function, create the
options structure with krb5_get_init_creds_opt_alloc(), other
krb5_get_init_creds_opt_* calls to set the options, and clean it up
later with krb5_get_init_creds_opt_free(). Clean up the resulting
credential later with krb5_free_creds().
* Store the returned credential into the memory ccache with
krb5_cc_store_cred().
* Use gss_krb5_ccache_name() to get GSSAPI to use your memory ccache.
(Call krb5_cc_get_name() to get the ccache name.) This function sets a
thread-specific variable.
Now you should be ready to acquire credentials.
More information about the krbdev
mailing list