[30846] in Kerberos
Re: WS-Security and GSS-API: How do I get the session key?
daemon@ATHENA.MIT.EDU (Luke Howard)
Tue Mar 10 03:49:15 2009
Message-Id: <988BB710-CBEA-40A5-BBA8-C772E7B60101@padl.com>
From: Luke Howard <lukeh@padl.com>
To: Weijun Wang <Weijun.Wang@Sun.COM>
In-Reply-To: <49B5E858.7040009@sun.com>
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Tue, 10 Mar 2009 18:48:13 +1100
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Yes, they're mostly intended for use by the acceptor (except for the
session key API).
-- Luke
On 10/03/2009, at 3:11 PM, Weijun Wang wrote:
> I see. So after a security context is established. These functions
> should return the same results on both side. Of course, if a
> particular
> piece of info is only available from the encrypted part of the service
> ticket, only the service side knows it and this function is not
> supported on the client side.
>
> Max
>
> Luke Howard wrote:
>>
>> On 09/03/2009, at 1:45 PM, Max (Weijun) Wang wrote:
>>
>>>> gss_krb5_get_tkt_flags()
>>>> gsskrb5_extract_authz_data_from_sec_context()
>>>> gsskrb5_extract_authtime_from_sec_context()
>>>
>>> I guess the tkt or authXXX above are all for the intial TGT (instead
>>> of any service ticket). Right?
>>
>> The service ticket; the service does not have the TGT (although the
>> KDC
>> may use the TGT in deriving those values).
>>
>> -- Luke
>
--
www.padl.com | www.fghr.net
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
