Extracting AuthorizationData from GSS-API credentials?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Extracting AuthorizationData from GSS-API credentials?

Rick van Rein (OpenFortress)
Hi,

Is there an API to extract AuthorizationData from GSSAPI credentials
that use Kerberos under the hood?  I cannot find it in the RFCs.

Thanks,
 -Rick
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Extracting AuthorizationData from GSS-API credentials?

Greg Hudson
On 10/26/2018 06:30 PM, Rick van Rein wrote:> Is there an API to extract
AuthorizationData from GSSAPI credentials
> that use Kerberos under the hood?  I cannot find it in the RFCs.

The shortest-path answer for you is probably the extension
gsskrb5_extract_authz_data_from_sec_context(), which is implemented in
MIT krb5 and Heimdal.

The cleaner answer is name attributes (RFC 6680), ideally with
well-considered cross-mechanism names, but that requires extra
implementation work for each authorization data type.  MIT krb5 has a
pluggable interface for doing that translation, but it's unfortunately
not polished or stable.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos