[16456] in Kerberos_V5_Development
inspecting krb5 ticket in GSSAPI
daemon@ATHENA.MIT.EDU (Frank Cusack)
Tue Nov 9 14:50:43 2010
Date: Tue, 09 Nov 2010 11:50:30 -0800
From: Frank Cusack <frank+krb@linetwo.net>
To: krbdev@mit.edu
Message-ID: <3C3C22DA02DF9F4FFB3FFB76@dhcp-172-19-76-254.mtv.corp.google.com>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
If I want my GSSAPI server application to inspect the kerberos
ticket flags, is there a way to do this?
It looks like I would just take the token the client sent, verify
the mechanism and then *do something* to extract the krb5 ticket.
Then I could create a krb5 context and look at the flags.
What I'd like to do is have the GSSAPI server verify that the hwauth
flag is set. Or is it better to set the require_hwauth flag on the
server principal in the KDC? That means my app can't directly enforce
it, so not ideal but it would be ok. (Does that flag work that way?)
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
