user-to-user counterpart of krb5_server_decrypt_ticket_keytab() ?

Rick van Rein rick at
Sat Jul 2 02:15:42 EDT 2016


I'm pretty far with piecing together my TLS += Kerberos-DH [1]
implementation in GnuTLS [2] and my TLS Pool [3].  Simo's hint to look
at kvno.c and kinit.c really helped, thanks!

Since it was a straightforward extension, I added user-to-user Kerberos
to the spec [4].  Adding the 2nd ticket to the ticket request in the
client was all handled by the library.  Nice!

But on the server I run into a missing u2u counterpart for
krb5_server_decrypt_ticket_keytab(); I need something along the lines of
krb5_server_decrypt_ticket_creds() that would use a TGT (krb5_creds)
rather than a keytab to decrypt a ticket.

Is there a function in the libkrb5 API to do just that?  If not, how is
user-to-user normally implemented?  Is there a clever bypass, or will I
have to strip down the ticket with application code?



More information about the krbdev mailing list