[39431] in Kerberos
Re: How to get Kerberos token for proxy authentication
daemon@ATHENA.MIT.EDU (Simo Sorce)
Tue Jun 4 15:16:03 2024
Message-ID: <12295834c7d0e42701da2d7689ac2e13e0a6395c.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: "m_a_n_j_u_s_k@yahoo.com" <m_a_n_j_u_s_k@yahoo.com>,
Thomas Kula
<kula@tproa.net>, "kerberos@mit.edu" <kerberos@mit.edu>
Date: Tue, 04 Jun 2024 15:15:48 -0400
In-Reply-To: <1164986234.1357879.1717504286646@mail.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, 2024-06-04 at 12:31 +0000, m_a_n_j_u_s_k@yahoo.com wrote:
> Hi again,
>
> I am looking at the implementing this (getting Kerberos service
> token) in C using Heimdal Kerberos library.
>
> In Golang using this go package https://github.com/alexbrainman/sspi
> it was simply two calls as below:
>
> cred=negotiate.AcquireCurrentCredentials()
> token = negotiate.NewClientContext(cred, spn)
>
> However it looks bit complex in C using MIT/Heimdal library. I am
> looking at this example mentioned in the RFC here
> https://datatracker.ietf.org/doc/html/rfc7546.html#section-5.1
>
> Just checking if someone has done a similar thing and I am on the
> right track. Thank you.
>
You are comparing a full loop with just setting up the initial context.
The two calls you have on those two lines are indeed equivalent to:
maj = gss_acquire_cred(&min, acceptor_name, GSS_C_INDEFINITE,
desired_mechs, cred_usage, creds,
actual_mechs, NULL);
and
maj = gss_init_sec_context(min, init_cred, &init_ctx,
accept_name, mech_type, GSS_C_DELEG_FLAG,
req_lifetime, GSS_C_NO_CHANNEL_BINDINGS,
&accept_token, NULL, &init_token, NULL,
NULL);
Where all those variables are set to default values.
Of course this is missing all error handling, and, if you use defaults
it will miss many nuances.
As Ken suggested you should look at real examples, libcurl may be a
way, I can also suggest this library of mine:
ttps://github.com/gssapi/mod_auth_gssapi/blob/master/src/mod_auth_gssap
i.c
--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
