from:"Dylan Klomparens"

Iterate over server credentials

2017-03-22 Thread Dylan Klomparens

Hello,

I'm writing a program that accepts Kerberos authentication using the
GSSAPI. The program acquires credentials using gss_acquire_cred_from() with
a keytab specified, and this is working properly. The keytab has multiple
principals stored in it. I want to output all the principals that were
acquired, so I tried to use gss_inquire_cred() to find out and
gss_display_name() to print them. This allows me to output the first
principal in the keytab, but only the first one. Is there a way to output
all of them? How can I iterate through all the principals acquired from a
single keytab and output their names?

Once I accept a security context, the program is authenticating correctly,
so it stands to reason that I'm legitimately acquiring multiple credentials
from the same keytab.

(Please forgive any mixups in terminology I may have made, I'm not fully
versed in the Kerberos vocabulary.)

Thanks,
-- Dylan Klomparens

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Kerberos error codes

2016-04-20 Thread Dylan Klomparens

Hello, I am writing a program that uses Kerberos. The program is intended
to be used by a service to verify client's identities. MIT's developer
documentation recommends "the GSSAPI ... for secure network communication
over using the libkrb5 API directly." This lead me to use the function
gss_accept_sec_context to verify credentials. I would like my program to be
as robust as possible, and output any error codes in an understandable way.
The gss_accept_sec_context function has a "major" error code (it's return
value) and a "minor" error code to convey Kerberos specific errors. I am
able to find plenty of documentation on the major error code. However, I am
unable to find a list of Kerberos specific error codes within GSSAPI. Does
anyone know where this might be documented? If it's not documented, I will
be happy to write the documentation and submit a pull request on Github.

My other question is, why does MIT recommend using GSSAPI over the libkrb5
API directly? From a design perspective, I'd like to minimize the number of
dependencies that my program has. By minimizing dependencies, complexity
and potential attack surface (for application security) is reduced for my
program. If my requirement is that I only need to verify service tickets
from clients, am I better off using libkrb5 directly?

Thanks,
-- Dylan Klomparens

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Iterate over server credentials

Kerberos error codes

2 matches

Site Navigation

Mail list logo

Footer information