user-to-user counterpart of krb5_server_decrypt_ticket_keytab() ?
Rick van Rein
rick at openfortress.nl
Sat Jul 2 02:15:42 EDT 2016
Hello,
I'm pretty far with piecing together my TLS += Kerberos-DH [1]
implementation in GnuTLS [2] and my TLS Pool [3]. Simo's hint to look
at kvno.c and kinit.c really helped, thanks!
Since it was a straightforward extension, I added user-to-user Kerberos
to the spec [4]. Adding the 2nd ticket to the ticket request in the
client was all handled by the library. Nice!
But on the server I run into a missing u2u counterpart for
krb5_server_decrypt_ticket_keytab(); I need something along the lines of
krb5_server_decrypt_ticket_creds() that would use a TGT (krb5_creds)
rather than a keytab to decrypt a ticket.
Is there a function in the libkrb5 API to do just that? If not, how is
user-to-user normally implemented? Is there a clever bypass, or will I
have to strip down the ticket with application code?
Thanks!
-Rick
[1] http://tls-kdh.arpa2.net/tls-kdh.html
[2] http://github.com/arpa2/gnutls-kdh
[3] https://github.com/arpa2/tlspool/blob/tls-kdh/src/starttls.c
[4] https://tools.ietf.org/html/draft-vanrein-tls-kdh-04#section-4.3
More information about the krbdev
mailing list