0

I am new to GSS-API. And I am in a project, whose goal is to make a KERBEROS implementation.
I read the application developers documentation in MIT's - http://web.mit.edu/kerberos/krb5-latest/doc/appdev/index.html link.
And also read RFC-2744 GSS-API C BINDINGS.

My question is,
* KERBEROS protocol consists of-
AS-REQ, AS-REP, TGS_REQ, TGS-REP, AP-REQ, AP-REP
* GSS-API consists of -
credential management routines(eg. gss_acquire_cred), context-level routines(eg. gss_init_sec_context) etc

How to make use of GSS-API routines to implement kerberos?
Since, I donot see any- TICKET producing routines, TIMESTAMP embedding routines etc which are there in kerberos?

Thanks in advance.

monic
  • 1
  • 1

1 Answers1

0

Ok first thing first, gss-api is (generic security services api). It is implemented as a layer above kerberos api. Remember that gssapi need not use kerberos (it can just as easily use some other authentication protocol as well).

GSS-API does not have a way to get TGT. That is done by kerberos api(you can write some krb5 api based code to get a kerberos cred and then convert to a gsscred)

A context is an object maintained by both parties(auth initiator and acceptor). They are updated by using the gss_init_sec_context(initiator side call) and gss_accept_sec_context(acceptor side). In case of Kerberos, it basically is the entire process of using TGT, ST etc. and then finally establishing trust and sharing a session key.

So to answer your question - you do not use GSS-API to implement Kerberos functions. It is the other way around.

Arunav Sanyal
  • 1,708
  • 1
  • 16
  • 36