Getting ticket from the KDC in C
Dean Dln
constantinedalianis at gmail.com
Thu Jan 7 10:18:24 EST 2021
Dear Chris and Ken,
Thank you both for your replies. They helped a lot.
I work for CERN and we are using Kerberos for user authentication purposes.
I managed to get a service ticket using `gss_init_sec_context` from GSSAPI.
Best regards,
Dean
On Wed, 6 Jan 2021 at 21:48, Chris Hecker <checker at d6.com> wrote:
>
> Have you compiled and run the samples in the source distribution (in
> src/appl in my version)? There are two different client/server samples
> and a user to user sample. Those should at least get you started
> (they're how I got started with the krb5 c api). Also, the klist and
> kvno sources show how to decode tickets and whatnot, if you need to do
> that.
>
> Chris
>
>
> ------ Original Message ------
> From: "Dean Dln" <constantinedalianis at gmail.com>
> To: krbdev at mit.edu
> Sent: 2021-01-06 00:06:41
> Subject: Getting ticket from the KDC in C
>
> >Dear all,
> >
> >I would like to ask for some tips on how to get a ticket from the Key
> >Distribution Center (KDC) using the MIT krb5 API in C/C++?
> >
> >I already have a working Java Client which uses GSS-API to obtain a ticket
> >from the KDC (using a local TGT) and forwards it to a Java Server.
> >
> >The server accepts the security context using the following logic:
> >
> >private GSSContext acceptSecurityContext(Subject serverSubject, final
> >byte[] kerberosServiceTicket) {
> > return Subject.doAs(serverSubject, (PrivilegedAction<GSSContext>) () ->
> {
> > GSSContext gssContext;
> > try {
> > gssContext = manager.createContext((GSSCredential) null);
> > } catch (GSSException ex) {
> > LOGGER.warn("Could not create Kerberos gssContext: " +
> >ex.getMessage(), ex);
> > return null;
> > }
> > try {
> > gssContext.acceptSecContext(kerberosServiceTicket, 0,
> >kerberosServiceTicket.length);
> > } catch (GSSException ex) {
> > LOGGER.warn("Could not accept security context: " +
> >ex.getMessage(), ex);
> > return null;
> > }
> > return gssContext;
> > });
> >}
> >
> >I am trying to implement a C client - similar to the Java one - using MIT
> >krb5 API and I can't seem to make it work. So far this is my C client
> code:
> >
> > krb5_context context;
> > krb5_ccache ccache;
> > krb5_creds *outCreds = NULL;
> > krb5_creds inCreds;
> > int retval;
> > char *principal = "...";
> >
> > retval = krb5_init_secure_context(&context);
> > ...
> >
> > retval = krb5_cc_default(context, &ccache);
> > ...
> >
> > memset(&inCreds, 0, sizeof(inCreds));
> > retval = krb5_parse_name(context, principal, &inCreds.server);
> > ...
> >
> > retval = krb5_cc_get_principal(context, ccache, &inCreds.client);
> > ...
> >
> > retval = krb5_get_credentials(context, 0, ccache, &inCreds,
> &outCreds);
> > ...
> >
> > // also tried using the following:
> krb5Ticket->enc_part.ciphertext.data
> > // (maybe this is the correct way, but I should somehow decrypt it
> and
> >use krb5Ticket->enc_part2 ?)
> > // retval = krb5_decode_ticket(&outCreds->ticket, &krb5Ticket);
> > // ...
> >
> > char *base64KerberosTicket = base64_encode(outCreds->ticket.data,
> >strlen(outCreds->ticket.data));
> >
> > char *response = loginKerberos(base64KerberosTicket);
> > ...
> >
> >Thank you in advance.
> >
> >Best regards,
> >Dean
> >_______________________________________________
> >krbdev mailing list krbdev at mit.edu
> >https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
More information about the krbdev
mailing list