krb5_init_context()

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

krb5_init_context()

Scot McKinley
Hi all,

For our use of KfW, we are using krb5_init_context() as our initial call
to krb5, attempting to use the environment interface defined for the
API. The problem is that env on windows is not well supported and is
buggy (env is actually cached at the loading of particular library).

I see now that there is another API: krb5_init_secure_context(), which
appears to be created to get around exactly this type of env problem. Do
you let me know or point me to doc that shows the interface for this new
function?

Thanks, Scot

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: krb5_init_context()

Greg Hudson
On 9/2/20 2:31 PM, Scot McKinley wrote:
> For our use of KfW, we are using krb5_init_context() as our initial call
> to krb5, attempting to use the environment interface defined for the
> API. The problem is that env on windows is not well supported and is
> buggy (env is actually cached at the loading of particular library).

I'm not sure what "the environment interface defined for the API" efers
to.  But I am aware of
https://krbdev.mit.edu/rt/Ticket/Display.html?id=2636
which unfortunately hasn't been resolved.

> I see now that there is another API: krb5_init_secure_context(), which
> appears to be created to get around exactly this type of env problem. Do
> you let me know or point me to doc that shows the interface for this new
> function?
krb5_init_secure_context() isn't new--it was in the 1.0 release.  I
don't think it will solve this problem, as it simply causes the context
to ignore environment variables.  The documentation for it is at:

https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_init_secure_context.html

It seems possible that you meant krb5_init_context_profile(), which was
added in release 1.10:

https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_init_context_profile.html

This interface was created to make it possible to use
profile_init_vtable() with a krb5 context.  See the comments in
profile.h for how to use that.

(It would probably be easier if one could create a memory-only profile
object, either empty or from a file, and then use profile_add_relation()
and/or profile_update_relation() on it.  But that hasn't been implemented.)
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: krb5_init_context()

Scot McKinley
Hi Greg, the issue that i am talking about is that krb5_init_context()
gets its config from the environment var KRB5_CONFIG. We are looking for
an initialization of the krb5 context that doesn't rely on the
environment.  I was hoping that was krbt_init_secure_context(). Is there
some OTHER way of passing the config that is retrieved via KRB5_CONFIG
in a non environment variable manner?

Thanks, Scot

On 9/2/2020 11:56 AM, Greg Hudson wrote:

> On 9/2/20 2:31 PM, Scot McKinley wrote:
>> For our use of KfW, we are using krb5_init_context() as our initial call
>> to krb5, attempting to use the environment interface defined for the
>> API. The problem is that env on windows is not well supported and is
>> buggy (env is actually cached at the loading of particular library).
> I'm not sure what "the environment interface defined for the API" efers
> to.  But I am aware of
> https://urldefense.com/v3/__https://krbdev.mit.edu/rt/Ticket/Display.html?id=2636__;!!GqivPVa7Brio!I5k04J1RiX44zosubuYy3_bkop72Wh1a9EPuo5rFAFcvY05iFe9qyQKfc46nGfRwDaQ$
> which unfortunately hasn't been resolved.
>
>> I see now that there is another API: krb5_init_secure_context(), which
>> appears to be created to get around exactly this type of env problem. Do
>> you let me know or point me to doc that shows the interface for this new
>> function?
> krb5_init_secure_context() isn't new--it was in the 1.0 release.  I
> don't think it will solve this problem, as it simply causes the context
> to ignore environment variables.  The documentation for it is at:
>
> https://urldefense.com/v3/__https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_init_secure_context.html__;!!GqivPVa7Brio!I5k04J1RiX44zosubuYy3_bkop72Wh1a9EPuo5rFAFcvY05iFe9qyQKfc46n1NhXa3M$
>
> It seems possible that you meant krb5_init_context_profile(), which was
> added in release 1.10:
>
> https://urldefense.com/v3/__https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_init_context_profile.html__;!!GqivPVa7Brio!I5k04J1RiX44zosubuYy3_bkop72Wh1a9EPuo5rFAFcvY05iFe9qyQKfc46nfpydYts$
>
> This interface was created to make it possible to use
> profile_init_vtable() with a krb5 context.  See the comments in
> profile.h for how to use that.
>
> (It would probably be easier if one could create a memory-only profile
> object, either empty or from a file, and then use profile_add_relation()
> and/or profile_update_relation() on it.  But that hasn't been implemented.)
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: krb5_init_context()

Scot McKinley
Hi Greg, in looking at the header files, and your previous reply, it
appears that krb5_init_secure_context() may be exactly what i want.

 > I don't think it will solve this problem, as it simply causes the
context to ignore environment variables.

Yes, i want a "krb5_init_context" that "ignores environment variables",
and thus retrieves its config in some other manner. In this case, it
appears that the "other manner" of retrieving config for
"krb5_init_secure_context" is some configuration files, which is a
problem, since we have our OWN config files.

This is strange. Isn't there a way to "init" a krb5 library context just
by *PASSING* the config directly to the init funciton?!?

Regards, Scot

On 9/2/2020 12:51 PM, Scot McKinley wrote:

> Hi Greg, the issue that i am talking about is that krb5_init_context()
> gets its config from the environment var KRB5_CONFIG. We are looking
> for an initialization of the krb5 context that doesn't rely on the
> environment.  I was hoping that was krbt_init_secure_context(). Is
> there some OTHER way of passing the config that is retrieved via
> KRB5_CONFIG in a non environment variable manner?
>
> Thanks, Scot
>
> On 9/2/2020 11:56 AM, Greg Hudson wrote:
>> On 9/2/20 2:31 PM, Scot McKinley wrote:
>>> For our use of KfW, we are using krb5_init_context() as our initial
>>> call
>>> to krb5, attempting to use the environment interface defined for the
>>> API. The problem is that env on windows is not well supported and is
>>> buggy (env is actually cached at the loading of particular library).
>> I'm not sure what "the environment interface defined for the API" efers
>> to.  But I am aware of
>> https://urldefense.com/v3/__https://krbdev.mit.edu/rt/Ticket/Display.html?id=2636__;!!GqivPVa7Brio!I5k04J1RiX44zosubuYy3_bkop72Wh1a9EPuo5rFAFcvY05iFe9qyQKfc46nGfRwDaQ$ 
>>
>> which unfortunately hasn't been resolved.
>>
>>> I see now that there is another API: krb5_init_secure_context(), which
>>> appears to be created to get around exactly this type of env
>>> problem. Do
>>> you let me know or point me to doc that shows the interface for this
>>> new
>>> function?
>> krb5_init_secure_context() isn't new--it was in the 1.0 release.  I
>> don't think it will solve this problem, as it simply causes the context
>> to ignore environment variables.  The documentation for it is at:
>>
>> https://urldefense.com/v3/__https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_init_secure_context.html__;!!GqivPVa7Brio!I5k04J1RiX44zosubuYy3_bkop72Wh1a9EPuo5rFAFcvY05iFe9qyQKfc46n1NhXa3M$ 
>>
>>
>> It seems possible that you meant krb5_init_context_profile(), which was
>> added in release 1.10:
>>
>> https://urldefense.com/v3/__https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_init_context_profile.html__;!!GqivPVa7Brio!I5k04J1RiX44zosubuYy3_bkop72Wh1a9EPuo5rFAFcvY05iFe9qyQKfc46nfpydYts$ 
>>
>>
>> This interface was created to make it possible to use
>> profile_init_vtable() with a krb5 context.  See the comments in
>> profile.h for how to use that.
>>
>> (It would probably be easier if one could create a memory-only profile
>> object, either empty or from a file, and then use profile_add_relation()
>> and/or profile_update_relation() on it.  But that hasn't been
>> implemented.)
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re[2]: krb5_init_context()

Chris Hecker

 > This is strange. Isn't there a way to "init" a krb5 library context
just
by *PASSING* the config directly to the init funciton?!?

Check out krb5_init_context_profile, I had to expose it in my local copy
of krb5 years ago, but I think it might be exposed now?

http://web.mit.edu/kerberos/krb5-1.18/doc/appdev/refs/api/krb5_init_context_profile.html

Chris




------ Original Message ------
From: "Scot McKinley" <[hidden email]>
To: "Greg Hudson" <[hidden email]>; [hidden email]
Sent: 2020-09-02 21:08:28
Subject: Re: krb5_init_context()

>Hi Greg, in looking at the header files, and your previous reply, it
>appears that krb5_init_secure_context() may be exactly what i want.
>
>  > I don't think it will solve this problem, as it simply causes the
>context to ignore environment variables.
>
>Yes, i want a "krb5_init_context" that "ignores environment variables",
>and thus retrieves its config in some other manner. In this case, it
>appears that the "other manner" of retrieving config for
>"krb5_init_secure_context" is some configuration files, which is a
>problem, since we have our OWN config files.
>
>This is strange. Isn't there a way to "init" a krb5 library context just
>by *PASSING* the config directly to the init funciton?!?
>
>Regards, Scot
>
>On 9/2/2020 12:51 PM, Scot McKinley wrote:
>>  Hi Greg, the issue that i am talking about is that krb5_init_context()
>>  gets its config from the environment var KRB5_CONFIG. We are looking
>>  for an initialization of the krb5 context that doesn't rely on the
>>  environment.  I was hoping that was krbt_init_secure_context(). Is
>>  there some OTHER way of passing the config that is retrieved via
>>  KRB5_CONFIG in a non environment variable manner?
>>
>>  Thanks, Scot
>>
>>  On 9/2/2020 11:56 AM, Greg Hudson wrote:
>>>  On 9/2/20 2:31 PM, Scot McKinley wrote:
>>>>  For our use of KfW, we are using krb5_init_context() as our initial
>>>>  call
>>>>  to krb5, attempting to use the environment interface defined for the
>>>>  API. The problem is that env on windows is not well supported and is
>>>>  buggy (env is actually cached at the loading of particular library).
>>>  I'm not sure what "the environment interface defined for the API" efers
>>>  to.  But I am aware of
>>>https://urldefense.com/v3/__https://krbdev.mit.edu/rt/Ticket/Display.html?id=2636__;!!GqivPVa7Brio!I5k04J1RiX44zosubuYy3_bkop72Wh1a9EPuo5rFAFcvY05iFe9qyQKfc46nGfRwDaQ$
>>>
>>>  which unfortunately hasn't been resolved.
>>>
>>>>  I see now that there is another API: krb5_init_secure_context(), which
>>>>  appears to be created to get around exactly this type of env
>>>>  problem. Do
>>>>  you let me know or point me to doc that shows the interface for this
>>>>  new
>>>>  function?
>>>  krb5_init_secure_context() isn't new--it was in the 1.0 release.  I
>>>  don't think it will solve this problem, as it simply causes the context
>>>  to ignore environment variables.  The documentation for it is at:
>>>
>>>https://urldefense.com/v3/__https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_init_secure_context.html__;!!GqivPVa7Brio!I5k04J1RiX44zosubuYy3_bkop72Wh1a9EPuo5rFAFcvY05iFe9qyQKfc46n1NhXa3M$
>>>
>>>
>>>  It seems possible that you meant krb5_init_context_profile(), which was
>>>  added in release 1.10:
>>>
>>>https://urldefense.com/v3/__https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_init_context_profile.html__;!!GqivPVa7Brio!I5k04J1RiX44zosubuYy3_bkop72Wh1a9EPuo5rFAFcvY05iFe9qyQKfc46nfpydYts$
>>>
>>>
>>>  This interface was created to make it possible to use
>>>  profile_init_vtable() with a krb5 context.  See the comments in
>>>  profile.h for how to use that.
>>>
>>>  (It would probably be easier if one could create a memory-only profile
>>>  object, either empty or from a file, and then use profile_add_relation()
>>>  and/or profile_update_relation() on it.  But that hasn't been
>>>  implemented.)
>_______________________________________________
>krbdev mailing list             [hidden email]
>https://mailman.mit.edu/mailman/listinfo/krbdev


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: krb5_init_context()

Alexandr Nedvedicky
In reply to this post by Scot McKinley
Hello,

On Wed, Sep 02, 2020 at 09:08:28PM -0700, Scot McKinley wrote:

> Hi Greg, in looking at the header files, and your previous reply, it
> appears that krb5_init_secure_context() may be exactly what i want.
>
>  > I don't think it will solve this problem, as it simply causes the
> context to ignore environment variables.
>
> Yes, i want a "krb5_init_context" that "ignores environment variables",
> and thus retrieves its config in some other manner. In this case, it
> appears that the "other manner" of retrieving config for
> "krb5_init_secure_context" is some configuration files, which is a
> problem, since we have our OWN config files.
>
> This is strange. Isn't there a way to "init" a krb5 library context just
> by *PASSING* the config directly to the init funciton?!?
>

    perhaps you want to build your own kerberos library and ship it with
    your application. The default location of krb5.conf is driven by
    --sysconfdir autoconf option.  the default krb5.conf location is defined
    and compile time.

regards
sasha
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re[2]: krb5_init_context()

Chris Hecker
Here's a thread from a long time ago about this:

https://groups.google.com/forum/#!topic/comp.protocols.kerberos/V7T-Q4BBrvc

Chris


------ Original Message ------
From: "Alexandr Nedvedicky" <[hidden email]>
To: "Scot McKinley" <[hidden email]>
Cc: [hidden email]
Sent: 2020-09-03 00:30:59
Subject: Re: krb5_init_context()

>Hello,
>
>On Wed, Sep 02, 2020 at 09:08:28PM -0700, Scot McKinley wrote:
>>  Hi Greg, in looking at the header files, and your previous reply, it
>>  appears that krb5_init_secure_context() may be exactly what i want.
>>
>>   > I don't think it will solve this problem, as it simply causes the
>>  context to ignore environment variables.
>>
>>  Yes, i want a "krb5_init_context" that "ignores environment variables",
>>  and thus retrieves its config in some other manner. In this case, it
>>  appears that the "other manner" of retrieving config for
>>  "krb5_init_secure_context" is some configuration files, which is a
>>  problem, since we have our OWN config files.
>>
>>  This is strange. Isn't there a way to "init" a krb5 library context just
>>  by *PASSING* the config directly to the init funciton?!?
>>
>
>     perhaps you want to build your own kerberos library and ship it with
>     your application. The default location of krb5.conf is driven by
>     --sysconfdir autoconf option.  the default krb5.conf location is defined
>     and compile time.
>
>regards
>sasha
>_______________________________________________
>krbdev mailing list             [hidden email]
>https://mailman.mit.edu/mailman/listinfo/krbdev


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev