krbdev Digest, Learning Kerberos and gss_acquire_cred

letz.yaara letz.yaara at gmail.com
Mon Aug 26 06:53:46 EDT 2013 

Sent from Yaara's phone

On 21 באוג 2013, at 17:34, krbdev-request at mit.edu wrote:

> Send krbdev mailing list submissions to
>    krbdev at mit.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>    https://mailman.mit.edu/mailman/listinfo/krbdev
> or, via email, send a message with subject or body 'help' to
>    krbdev-request at mit.edu
>
> You can reach the person managing the list at
>    krbdev-owner at mit.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of krbdev digest..."
>
>
> Today's Topics:
>
>   1. 2013 Kerberos Interop Event (8-9 October 2013) at MIT
>      (Thomas Hardjono)
>   2. Learning Kerberos for development  (Yaara)
>   3. Re: Learning Kerberos for development  (Benjamin Kaduk)
>   4. Re: Learning Kerberos for development (letz.yaara)
>   5. Re: Learning Kerberos for development (Greg Hudson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 20 Aug 2013 17:35:59 +0000
> From: Thomas Hardjono <hardjono at MIT.EDU>
> Subject: 2013 Kerberos Interop Event (8-9 October 2013) at MIT
> To: "kitten at ietf.org" <kitten at ietf.org>, "krbdev at mit.edu"
>    <krbdev at MIT.EDU>
> Message-ID:
>    <5E393DF26B791A428E5F003BB6C5342A2F248834 at OC11EXPO24.exchange.mit.edu>
> Content-Type: text/plain; charset="us-ascii"
>
>
> Folks,
>
> The 2013 Kerberos Interoperability & Testing ("Interop") event will be held at the MIT Campus on 8-9 October 2013. (The Tuesday-Wednesday after the annual Conference).
>
> https://kit.mit.edu/events
>
> Please email Thomas Hardjono or Tom Yu if you plan to attend (hardjono[at]mit.edu and tlyu[at]mit.edu). No registration is needed (just an email). We have a basic template doc to capture the features you want to test.
>
>
>
> 2013 MIT Kerberos Interop Event
> -------------------------------
> https://kit.mit.edu/events/kerberos-interoperability-testing-event
>
>
> Dates:   8-9 October 2013 (Tuesday-Wednesday).
>
> Time:    10AM - 5PM
>
> Venue:   MIT Campus, Building W92
>         Backbay Rooms A & B.
>         Corner of Vassar & Amesbury Sts.
>         Cambridge, MA 02139.
>
>         Map: http://whereis.mit.edu/?go=W92:
>
>
> Hotels:  The hotels near MIT Campus can be expensive, so we have
>         been advising people to find any hotel close to the
>         Red Line T subway line. The MIT campus is located at
>         the Red Line "MIT/Kendall Station".
>         From Kendall Square there is a white MIT Tech Shuttle (free)
>         that goes around campus and which stops at the doorsteps
>         of Building W92.
>
> MIT's list of hotels:
>
>         http://web.mit.edu/institute-events/visitor/stay.html
>
> List of stations on the Red Line T subway:
>
> http://www.mbta.com/schedules_and_maps/subway/lines/?route=RED
>
>
> Regards.
>
> /thomas/
>
>
>
>
> ____________________________________________
> Thomas Hardjono
> MIT Consortium for Kerberos & Internet Trust
> e:  hardjono[at]mit.edu
> m:  +1 781 729 9559
> w:  kit.mit.edu
> ____________________________________________
>
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 20 Aug 2013 21:19:46 +0100
> From: Yaara <letz.yaara at gmail.com>
> Subject: Learning Kerberos for development
> To: "krbdev at mit.edu" <krbdev at mit.edu>
> Message-ID: <F038B43A-212E-4BEE-9D90-5EC4EF41F99F at gmail.com>
> Content-Type: text/plain; charset=us-ascii
>
> Hi, where would you recommend me to go in order to implement Kerberos or sspi in a software !
> Thank you !
>
> Sent from Yaara's phone
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 20 Aug 2013 16:57:17 -0400 (EDT)
> From: Benjamin Kaduk <kaduk at MIT.EDU>
> Subject: Re: Learning Kerberos for development
> To: Yaara <letz.yaara at gmail.com>
> Cc: "krbdev at mit.edu" <krbdev at mit.edu>
> Message-ID: <alpine.GSO.1.10.1308201655530.24720 at multics.mit.edu>
> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
>
> On Tue, 20 Aug 2013, Yaara wrote:
>
>> Hi, where would you recommend me to go in order to implement Kerberos or sspi in a software !
>> Thank you !
>
> Hi Yaara,
>
> I'm a bit reluctant to give advice without a better sense of what you are
> trying to do, as the answers would be vastly different depending on
> whether you want to produce an implementation of the Kerberos protocol,
> use Kerberos to provide authentication for an existing application, or
> something else.  Can you share more about what you would like to do?
>
> -Ben Kaduk
>

We have a machine with a few instances of a proxy server. each
instance should authenticate over HTTP requests (407 proxy
authenticate). The authentication is only SPNEGO (since I never
managed to generate raw kerberos over HTTP).
I am using keytab to acquire credentials.
Since ghudson said the credentials of the acceptor never expires I
want to acquire for the keytab file the credentials only once and use
it for:
 - all the HTTP requests I get with all the calls to gss_accept_sec_context
 - for all the acceptors in all the instances (I have shared memory so
this is not an issue)
How can I do it? How to cache it? Where can I read about it?

Thank you in advance
Yaara
>
> ------------------------------
>
> Message: 4
> Date: Wed, 21 Aug 2013 10:27:45 +0100
> From: "letz.yaara" <letz.yaara at gmail.com>
> Subject: Re: Learning Kerberos for development
> To: Benjamin Kaduk <kaduk at MIT.EDU>
> Cc: "krbdev at mit.edu" <krbdev at mit.edu>
> Message-ID:
>    <CAMkM3i1PNRdAw=pxbnDRF_TQCaTEK9z4T7gBZ_BRmz2iVFaZig at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> I'm using libkrb5, on Linux.
> I have a fee issues in which I'm straggling with, can you please help me
> understand or redirect me to some documentation :
>
> 1 - When *gss_acquire_cred* returns major error *GSS_S_FAILURE*, how do I
> parse the minor mechanism error ? *gss_display_status *returns an *empty
> string (*and I can't find the code anywhere else).
> 2 - In what use case scenarios I have multiples messages to be processed by
> *gss_display_status* ( in which I need to call gss_display_status again
> according to the message_context argument)
> 3 - *gss_acquire_cred* - where does it keep its cred cache? (not /tmp/
> krb5cc_something) and if I'm calling this function again - will it use the
> cached credentials?
> 4 - *gsskrb5_register_acceptor_identity - *can I use this function instead
> of setting the environment variable *KRB5_KTNAME *?(not using
> /etc/krb5.conf at all)
> 5. In *gss_acquire_cred - t**ime_rec* argument is described as "The number
> of seconds for which the credential will remain valid.* If the time
> remaining is not required*, specify NULL for this parameter." --> what does
> it mean "*If the time remaining is not required" *? can my cached
> credentials be indefinitely valid? (Basically I want to know in advance
> when my credentials are expired and how to I control this date while
> creating the keytab)
>
> Thank you in advance,
> Yaara
>
>
>
> Sent from Yaara's phone
>
> On 20 ???? 2013, at 21:57, Benjamin Kaduk <kaduk at MIT.EDU> wrote:
>
> On Tue, 20 Aug 2013, Yaara wrote:
>
> Hi, where would you recommend me to go in order to implement Kerberos or
> sspi in a software !
>
> Thank you !
>
>
> Hi Yaara,
>
> I'm a bit reluctant to give advice without a better sense of what you are
> trying to do, as the answers would be vastly different depending on whether
> you want to produce an implementation of the Kerberos protocol, use
> Kerberos to provide authentication for an existing application, or
> something else.  Can you share more about what you would like to do?
>
> -Ben Kaduk
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 21 Aug 2013 11:14:12 -0400
> From: Greg Hudson <ghudson at MIT.EDU>
> Subject: Re: Learning Kerberos for development
> To: "letz.yaara" <letz.yaara at gmail.com>
> Cc: "krbdev at mit.edu" <krbdev at mit.edu>
> Message-ID: <5214D944.2080607 at mit.edu>
> Content-Type: text/plain; charset=UTF-8
>
> On 08/21/2013 05:27 AM, letz.yaara wrote:
>> 1 - When *gss_acquire_cred* returns major error *GSS_S_FAILURE*, how do I
>> parse the minor mechanism error ? *gss_display_status *returns an *empty
>> string (*and I can't find the code anywhere else).
>
> gss_display_status is the right way.  Make sure you're calling it
> correctly; you can see an example at
>
>  https://github.com/krb5/krb5/blob/master/src/tests/gssapi/common.c#L45
>
> There are a few bugs (not common) where we don't return a useful minor code.
>
>> 2 - In what use case scenarios I have multiples messages to be processed by
>> *gss_display_status* ( in which I need to call gss_display_status again
>> according to the message_context argument)
>
> I don't believe our implementation ever returns multiple messages, but
> you should check in case your code is linked against a different
> implementation which does.
>
>> 3 - *gss_acquire_cred* - where does it keep its cred cache? (not /tmp/
>> krb5cc_something) and if I'm calling this function again - will it use the
>> cached credentials?
>
> gss_acquire_cred doesn't usually create a new ccache; it just creates an
> in-memory object which represents an existing ccache or keytab.
>
> If you are creating an acceptor credential, there is no ccache.
>
>> 4 - *gsskrb5_register_acceptor_identity - *can I use this function instead
>> of setting the environment variable *KRB5_KTNAME *?(not using
>> /etc/krb5.conf at all)
>
> You can; it affects future calls for the current thread.  Depending on
> the version of libkrb5 you're using, there may be less hackish methods
> of doing the same thing, such as gss_krb5_import_cred (1.9) or
> gss_acquire_cred_from (1.10).
>
>> 5. In *gss_acquire_cred - t**ime_rec* argument is described as "The number
>> of seconds for which the credential will remain valid.* If the time
>> remaining is not required*, specify NULL for this parameter." --> what does
>> it mean "*If the time remaining is not required"
>
> It means "if you do not need to know the amount of time remaining."
>
>> can my cached
>> credentials be indefinitely valid? (Basically I want to know in advance
>> when my credentials are expired and how to I control this date while
>> creating the keytab)
>
> krb5 acceptor credentials are always indefinitely valid.  krb5 initiator
> credentials are not; there is always an expiry time on the TGT, although
> it may be a long time.
>
>
>
> ------------------------------
>
> _______________________________________________
> krbdev mailing list
> krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
> End of krbdev Digest, Vol 128, Issue 21
> ***************************************

More information about the krbdev mailing list