Replacements for deprecated Kerberos APIs?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view

Replacements for deprecated Kerberos APIs?

Morrison, Wayne
I'm trying to document the replacement calls for the deprecated Kerberos APIs.  Here's the list that I have so far, but I'm not sure what the proper new calls are for some of the old APIs.  Can anyone fill in the blanks?  Am I missing any?

I've tried Google, but I only get documentation on the old APIs, and not on what they should be replaced with.  The information I have so far came from discussions on the various Kerberos mailing lists.

Old API                                              New API
-----------                                              -------------
krb5_auth_con_getlocalsubkey            krb5_auth_con_getsendsubkey
krb5_auth_con_getremotesubkey         krb5_auth_con_getrecvsubkey
krb5_auth_con_initivector                     ??
krb5_get_in_tkt                                   ??
krb5_get_in_tkt_with_skey                   ??
krb5_get_in_tkt_with_password            krb5_get_init_creds_password
krb5_get_in_tkt_with_keytab                krb5_get_init_creds_keytab

Wayne Morrison, CISSP
OpenVMS Security/eBusiness Engineering
Hewlett-Packard Company
110 Spit Brook Road
Nashua, New Hampshire

krbdev mailing list             [hidden email]
Reply | Threaded
Open this post in threaded view

Re: Replacements for deprecated Kerberos APIs?

I think your list is fairly correct.  RFC 4120 doesn't have anything
like the initvector concept; you should only need that API if you have
a really old protocol to deal with.

There are not replacements for the get_in_tkt calls besides password
and keytab.  We haven't seen much of a demand for them and it made
dealing with preauth challenging.  If people want a replacement for
krb5_get_in_tkt_skey we can create a memory-based keytab to use.


krbdev mailing list             [hidden email]