Hi All,

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Hi All,

Ming Zhi
I have met a development issue about the kerberos's GSSAPI.
The krb5 library has a `send hook' support as is done in
`krb5_set_kdc_send_hook'. This is very useful for me, in a project where
the network traffic is restricted to a single  TCP connection, which is
shared between different clients by multiplexing. And a dedicated KDC
communication channel is not available. The hook provides a perfect way for
the KDC messages to its destination over the shared tcp connection.

On the other hand, GSSAPI is cool to have a uniformed interface to
different authentication mechanisms as well as the kerberos, and it saves a
lot of effort compared to using the native krb API. And I would like to use
it for the kerberos development.

But with GSSAPI, I cannot find an official way to set the hook between the
`context' creation and the start of kdc traffic, as is done in a single
function `gss_init_sec_context'. The worst situation is that I need to get
hands dirty to change the source code.

Does any of you have some suggestions on this issue ? looking forward to
your comments.

woodhead99
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Hi All,

Greg Hudson
On 5/26/20 2:54 AM, Ming Zhi wrote:
> But with GSSAPI, I cannot find an official way to set the hook between the
> `context' creation and the start of kdc traffic, as is done in a single
> function `gss_init_sec_context'. The worst situation is that I need to get
> hands dirty to change the source code.

Unfortunately I don't think we have a good solution here.  We have a
"locate" pluggable interface [1] which might work (basically, have it
always return a local service, which then parses out the realm name from
the request).

I am personally fond of the idea of having a krb5 interface to control
the per-thread krb5_context object used by the GSS mech, for situations
like these.  But other people have disliked the idea, so I haven't
implemented it.

[1] https://web.mit.edu/kerberos/krb5-latest/doc/plugindev/locate.html
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Hi All,

Ming Zhi
Thanks for your great suggestion, it solves my problem!

On Wed, May 27, 2020 at 6:01 AM Greg Hudson <[hidden email]> wrote:

> On 5/26/20 2:54 AM, Ming Zhi wrote:
> > But with GSSAPI, I cannot find an official way to set the hook between
> the
> > `context' creation and the start of kdc traffic, as is done in a single
> > function `gss_init_sec_context'. The worst situation is that I need to
> get
> > hands dirty to change the source code.
>
> Unfortunately I don't think we have a good solution here.  We have a
> "locate" pluggable interface [1] which might work (basically, have it
> always return a local service, which then parses out the realm name from
> the request).
>
> I am personally fond of the idea of having a krb5 interface to control
> the per-thread krb5_context object used by the GSS mech, for situations
> like these.  But other people have disliked the idea, so I haven't
> implemented it.
>
> [1] https://web.mit.edu/kerberos/krb5-latest/doc/plugindev/locate.html
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos