[30758] in Kerberos
Re: WS-Security and GSS-API: How do I get the session key?
daemon@ATHENA.MIT.EDU (Luke Howard)
Tue Feb 24 08:32:28 2009
Message-Id: <DBDBC30C-FAC6-4A3E-BC26-C8929E0B4489@padl.com>
From: Luke Howard <lukeh@padl.com>
To: Thomas Maslen <Thomas.Maslen@quest.com>
In-Reply-To: <723530449330F342A68634ADF3CE8DE203395D134D@alvxmbw02.prod.quest.corp>
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Wed, 25 Feb 2009 00:31:30 +1100
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
In MIT Kerberos 1.7, you can use
gss_inquire_sec_context_by_oid(GSS_C_INQ_SSPI_SESSION_KEY).
-- Luke
On 24/02/2009, at 4:59 PM, Thomas Maslen wrote:
> On Feb 23, 2009, at 04:39, Speedo wrote:
>> I guess this issue had been discussed before: WS-Security negotiates
>> with Kerberos 5 but uses the session key in a different way from GSS
>> tokens. Since GSS-API is the public API to access Kerberos 5, is
>> there
>> any recent progress in enhancing the GSS-API to provide a function
>> like gss_get_session_key()?
>
> Yes, we bumped up against this with our Java implementation of
> Kerberos,
> GSSAPI, etc.
>
> Since we have our own implementation (c.f. the ones that Sun and IBM
> ship
> in their respective JDKs), I added a home-grown API[*] to extract
> the session
> key from the GSSContext once the context is established, precisely to
> support the WS-Security Kerberos Token Profile.
>
> But if that isn't an option... the initial context token for the
> Kerberos 5
> GSSAPI mechanism is essentially just an AP-REQ with a bit of GSSAPI
> framing prepended, so perhaps you can strip off the GSSAPI cruft
> (including the non-ASN.1 bytes), leaving you with the AP-REQ, and
> you probably have lots of tasty APIs to process that and then give you
> the session key?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
