Want to clarify some general concepts of GSS-API kerberos programming
Greg Hudson
ghudson at MIT.EDU
Mon Jan 21 00:22:03 EST 2013
On 01/20/2013 03:31 AM, monish A wrote:
> How to make use of GSS-API routines to implement kerberos?
* The AS-REQ/AS-REP exchange usually needs to happen out of band. In
some implementations, gss_acquire_cred might be able to use a keytab to
acquire initial credentials depending on the process environment. There
are also some extensions like gss_acquire_cred_with_password which can
get initial credentials.
* gss_init_sec_context performs a TGS-REQ/TGS-REP exchange if it needs
to get a service ticket (there may already be one cached). To establish
the security context, it constructs a token based on the Kerberos AP-REQ
message, and for mutual authentication, gss_accept_context constructs a
reply token based on the Kerberos AP-REP message.
* The krb5 GSS mechanism uses its own token format for gss_wrap and
gss_get_mic messages; it doesn't use KRB-SAFE/KRB-PRIV messages.
Timestamps are included in the authenticators contained in TGS-REQ and
AP-REQ messages.
More information about the krbdev
mailing list