Session Key through GSS-API

Stephen Brown Stephen.Brown at
Tue Feb 28 12:37:59 EST 2023

So, the application is an odbc driver which implements the oracle database wire-protocol (which unfortunately is not publicly documented). We  have found that the session key is needed for cypher reinitialization at connect time when using kerberos authentication and "oracle advanced security" is enabled on the server. If we use the subkey the server is immediately killing the connection. But with the session key we're able to connect.

-----Original Message-----
From: Greg Hudson <ghudson at> 
Sent: Tuesday, February 28, 2023 12:11 PM
To: Stephen Brown <Stephen.Brown at>; krbdev at
Subject: Re: Session Key through GSS-API

On 2/28/23 08:17, Stephen Brown via krbdev wrote:
> My application is using Kerberos via GSS-API but needs to access the session key. I saw that I can call gss_inquire_sec_context_by_oid() passing in GSS_C_INQ_SSPI_SESSION_KEY. However it looks like the key returned by this method is obtained via krb5_auth_con_getsendsubkey() which is the sub-session key (I believe) and not what I need.

Can you give a little more context around what protocol this application is implementing and why it needs the ticket session key and not the subkey?

More information about the krbdev mailing list