Iterate over server credentials

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Iterate over server credentials

Dylan Klomparens
Hello,

I'm writing a program that accepts Kerberos authentication using the
GSSAPI. The program acquires credentials using gss_acquire_cred_from() with
a keytab specified, and this is working properly. The keytab has multiple
principals stored in it. I want to output all the principals that were
acquired, so I tried to use gss_inquire_cred() to find out and
gss_display_name() to print them. This allows me to output the first
principal in the keytab, but only the first one. Is there a way to output
all of them? How can I iterate through all the principals acquired from a
single keytab and output their names?

Once I accept a security context, the program is authenticating correctly,
so it stands to reason that I'm legitimately acquiring multiple credentials
from the same keytab.

(Please forgive any mixups in terminology I may have made, I'm not fully
versed in the Kerberos vocabulary.)

Thanks,
-- Dylan Klomparens
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Iterate over server credentials

Benjamin Kaduk-2
On Wed, Mar 22, 2017 at 03:48:21PM -0400, Dylan Klomparens wrote:

> Hello,
>
> I'm writing a program that accepts Kerberos authentication using the
> GSSAPI. The program acquires credentials using gss_acquire_cred_from() with
> a keytab specified, and this is working properly. The keytab has multiple
> principals stored in it. I want to output all the principals that were
> acquired, so I tried to use gss_inquire_cred() to find out and
> gss_display_name() to print them. This allows me to output the first
> principal in the keytab, but only the first one. Is there a way to output
> all of them? How can I iterate through all the principals acquired from a
> single keytab and output their names?

RFC 2743 is pretty clear that a GSS credential handle can represent
only a single (named) entity, though it may have credentials for
that entity with multiple mechanisms.  Since there is only one
GSS name associated with the credential; there is no need to
iterate.

That said, for the case where the kerberos keytab in question is the
default location (/etc/krb5.keytab, or what is specified by the
KRB5KTNAME environment variable), gss_accept_sec_context() with
GSS_C_NO_CREDENTIAL as the acceptor credential handle will
automatically search through all identities in the keytab and use
any of them, if they match the message from the client.

> Once I accept a security context, the program is authenticating correctly,
> so it stands to reason that I'm legitimately acquiring multiple credentials
> from the same keytab.

What you have said here is not enough information to establish your
conclusion.  How do we know what names the initiators are trying to
use to contact the service?

-Ben
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos