Session Key through GSS-API

Greg Hudson ghudson at
Tue Feb 28 17:39:30 EST 2023

On 2/28/23 12:37, Stephen Brown wrote:
> So, the application is an odbc driver which implements the oracle database wire-protocol (which unfortunately is not publicly documented). We  have found that the session key is needed for cypher reinitialization at connect time when using kerberos authentication and "oracle advanced security" is enabled on the server. If we use the subkey the server is immediately killing the connection. But with the session key we're able to connect.

Thanks for the added context.

I don't think there is presently a GSS extension to get at the ticket 
session key.  Even gss_export_lucid_sec_context(), which probably 
couldn't be used because it destroys the context, reports only the 
sender and acceptor subkey.  We could consider adding a minimal 
interface along the lines of GSS_C_INQ_SSPI_SESSION_KEY.

More information about the krbdev mailing list