Session Key through GSS-API
ghudson at mit.edu
Tue Feb 28 17:39:30 EST 2023
On 2/28/23 12:37, Stephen Brown wrote:
> So, the application is an odbc driver which implements the oracle database wire-protocol (which unfortunately is not publicly documented). We have found that the session key is needed for cypher reinitialization at connect time when using kerberos authentication and "oracle advanced security" is enabled on the server. If we use the subkey the server is immediately killing the connection. But with the session key we're able to connect.
Thanks for the added context.
I don't think there is presently a GSS extension to get at the ticket
session key. Even gss_export_lucid_sec_context(), which probably
couldn't be used because it destroys the context, reports only the
sender and acceptor subkey. We could consider adding a minimal
interface along the lines of GSS_C_INQ_SSPI_SESSION_KEY.
More information about the krbdev