user-to-user counterpart of krb5_server_decrypt_ticket_keytab() ?

Rick van Rein rick at
Sun Jul 3 13:45:27 EDT 2016

Thanks Greg,

> libkrb5.exports is the library export list; it contains functions which
> are exported for the sake of test programs, or the GSS-API library, or
> the KDC.  Not everything in there is a public API.

That's why I found it indirectly, I see.

> krb5_decrypt_tkt_part() is not prototyped in krb5.h, so it is not a
> public API.

Yes, I had to add its prototype manually to my own header files, which of course foregoes the advantage of type checking the library call!

> You don't need to explicitly decrypt the ticket in a user-to-user
> program; rd_req will take care of it for you.  Have a look at
> src/appl/user_user for an example.

Wish I'd had the space in TLS to pack a simple AP-REQ / AP-REP exchange, and that's certainly how this all started, but the AP protocol was not possible I found; also it's less natural to TLS which passes "raw public keys" and that sounds more like a Ticket than like an AP-REQ.

I don't suppose I could convince you to add the higher-up krb5_server_decrypt_ticket_creds() to the public API, could I?


More information about the krbdev mailing list