[30841] in Kerberos
Re: WS-Security and GSS-API: How do I get the session key?
daemon@ATHENA.MIT.EDU (Max (Weijun) Wang)
Mon Mar 9 15:54:31 2009
MIME-version: 1.0
Date: Mon, 09 Mar 2009 10:45:50 +0800
From: "Max (Weijun) Wang" <Weijun.Wang@Sun.COM>
In-reply-to: <9EDF9251-DCE2-4474-87DD-79AA1C87DE88@padl.com>
To: Luke Howard <lukeh@padl.com>
Message-id: <C417AF39-2EE2-4496-92B6-F8BAF8569E56@Sun.COM>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> gss_krb5_get_tkt_flags()
> gsskrb5_extract_authz_data_from_sec_context()
> gsskrb5_extract_authtime_from_sec_context()
I guess the tkt or authXXX above are all for the intial TGT (instead
of any service ticket). Right?
Thanks
Weijun
On Mar 7, 2009, at 10:01 AM, Luke Howard wrote:
>> BTW, I read the krb5-1.7 codes and notice you're supporting some
>> other
>> OIDs for this new function:
>>
>> KRB5_GET_TKT_FLAGS
>> KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT
>> KRB5_EXPORT_LUCID_SEC_CONTEXT
>> KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT
>>
>> I wonder how widely they are required and whether we should also
>> support them. Can you give me some background info?
>
> These are just shims for indirecting existing mechanism-specific
> APIs through the mechanism glue (so that the mechanism glue itself
> need not be polluted with mechanism specific API). They correspond to:
>
> gss_krb5_get_tkt_flags()
> gsskrb5_extract_authz_data_from_sec_context()
> gss_krb5_export_lucid_sec_context()
> gsskrb5_extract_authtime_from_sec_context()
>
> I think only the extract_authXXX APIs are new for 1.7. The usage for
> gsskrb5_extract_authz_data_from_sec_context() identical to Heimdal:
>
> http://www.daemon-systems.org/man/gsskrb5_extract_authz_data_from_sec_context.3.html
>
> gsskrb5_extract_authtime_from_sec_context() gets the authtime from
> the ticket.
>
> Let me know if you have further questions.
>
> -- Luke
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
