Creating GSSAPI initiate credential using keytab entry
richard.evans at datanomic.com
Mon Mar 8 20:11:09 EST 2010
I've written a little test program based on this and it works fine.
Just a couple of queries:
I assume the context needs to be freed after the gss_acquire_creds call?
ie the context is storing the memory cache?
One of the platforms I was experimenting was is AIX 5.3. The Kerberos
library there does not contain krb5_cc_new_unique. Is there by any
chance an older way of doing the same thing? The headers there mention
krb5_cc_gen_new but it does not appear to be in the library.
-------- Original Message --------
> On Mon, 2010-03-08 at 05:00 -0500, Richard Evans wrote:
> > 1. Use a KRB5 API call to get the credentials for the relevant keytab
> > entry
> > 2. Store them in a temporary cache file (I don't want to mess with the
> > cache for the current user)
> > 3. Set the KRB5CCNAME environment variable to point at this location
> > 4. Call gss_acquire_cred to get the initiator credentials
> > 5. Restore the previous value of KRB5CCNAME, if any
> > 6. Delete the temporary cache file
> I don't have example code on hand but I can provide some guidance on
> what APIs to use.
> * Start by creating a krb5 context with krb5_init_context(). Clean this
> up later with krb5_free_context().
> * Create a ccache with krb5_cc_new_unique(). Pass "MEMORY" as the type
> parameter and NULL as the hint. Clean this up later with
> * Open your keytab with krb5_kt_default() or krb5_kt_resolve(). Clean
> this up later with krb5_kt_close().
> * Acquire the credential with krb5_get_init_creds_keytab(). If you need
> to supply any options beyond the arguments to that function, create the
> options structure with krb5_get_init_creds_opt_alloc(), other
> krb5_get_init_creds_opt_* calls to set the options, and clean it up
> later with krb5_get_init_creds_opt_free(). Clean up the resulting
> credential later with krb5_free_creds().
> * Store the returned credential into the memory ccache with
> * Use gss_krb5_ccache_name() to get GSSAPI to use your memory ccache.
> (Call krb5_cc_get_name() to get the ccache name.) This function sets a
> thread-specific variable.
> Now you should be ready to acquire credentials.
More information about the krbdev