Want to clarify some general concepts of GSS-API kerberos programming

Greg Hudson ghudson at MIT.EDU
Mon Jan 21 00:22:03 EST 2013

On 01/20/2013 03:31 AM, monish A wrote:
> How to make use of GSS-API routines to implement kerberos?

* The AS-REQ/AS-REP exchange usually needs to happen out of band.  In
some implementations, gss_acquire_cred might be able to use a keytab to
acquire initial credentials depending on the process environment.  There
are also some extensions like gss_acquire_cred_with_password which can
get initial credentials.

* gss_init_sec_context performs a TGS-REQ/TGS-REP exchange if it needs
to get a service ticket (there may already be one cached).  To establish
the security context, it constructs a token based on the Kerberos AP-REQ
message, and for mutual authentication, gss_accept_context constructs a
reply token based on the Kerberos AP-REP message.

* The krb5 GSS mechanism uses its own token format for gss_wrap and
gss_get_mic messages; it doesn't use KRB-SAFE/KRB-PRIV messages.

Timestamps are included in the authenticators contained in TGS-REQ and
AP-REQ messages.

More information about the krbdev mailing list