[30747] in Kerberos
Re: Establishing client credentials (TGT etc.) with GSSAPI
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Fri Feb 20 19:35:48 2009
Date: Fri, 20 Feb 2009 18:17:53 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Chris <chriscorbell@gmail.com>
Message-ID: <20090221001753.GH9992@Sun.COM>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <873ae429-4e89-493b-9836-ebc3c6724318@33g2000yqm.googlegroups.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, Feb 20, 2009 at 01:24:06PM -0800, Chris wrote:
> I'm working on implementing Kerberos authentication from a C++ client
> to a Java service. The Java service wants a GSSAPI context.
>
> Is it correct that, if you can't rely on default GSSAPI credentials
> (i.e. login identity and pre-cached TGT), then a client should use
> gss_acquire_credentials() to establish this? I have tried this but
> haven't had success and just want to make sure I'm on the right path.
The GSS-API does not give you a way to acqiure initial credentials
(i.e., anything involving interaction with the user to obtain things
like principal name, password, smartcard/token PIN, ...). That's out of
scope for the GSS-API.
IIRC JAAS does give you a way to do that, but I don't remember exactly.
What the GSS_Acquire_cred() and GSS_Add_cred() functions allow you to do
is to choose a credential to use when many are available.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
