Programming in Kerberos - Kerberos

This is a discussion on Programming in Kerberos - Kerberos ; Hi, Are there good web sites that people can learn to program Kerberos stuffs? Thanks, ming ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Programming in Kerberos

  1. Programming in Kerberos

    Hi,

    Are there good web sites that people can learn to program Kerberos stuffs?

    Thanks,
    ming



    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Programming in Kerberos

    I recently learned how to program MIT Kerberos with no
    previous knowledge of anything Kerberos related.

    If you haven't already, you should first understand
    how to use Kerberos and also understand the protocol
    at a high level. Google for the "The Moron's Guide to
    Kerberos" and play with kinit, kdestroy, kutil, etc..

    The MIT distribution includes an API description (in
    TEX format if I remember correctly). However, this
    documentation is incomplete, out of date, and more of
    a reference than a tutorial. The best documentation
    is the actual source code. I read the source to kinit
    and some of the library to learn how to write Kerberos
    programs.

    The nice thing about open source software is that if
    you really want to know how something works, you can
    look at the source. On the flip side, documentation
    is often less of a priority, so sometimes you HAVE to
    look at the source code.


  3. Re: Programming in Kerberos

    Maybe it would help if we know what type of software are you hoping to
    program?

    Chris
    - - - - - - - - - - - - - - - - - - - -
    Christopher M. Hutchison, CEO
    NetSteady Communications, Ltd.
    P.O. Box 392
    Galloway, Ohio 43119

    Phone: 614-853-0091
    Skype: wifi_chris

    http://www.netsteady.cc


  4. Re: Programming in Kerberos

    brian.joh@comcast.net wrote:
    > I recently learned how to program MIT Kerberos with no previous
    > knowledge of anything Kerberos related.
    >
    > If you haven't already, you should first understand how to use
    > Kerberos and also understand the protocol at a high level. Google
    > for the "The Moron's Guide to Kerberos" and play with kinit,
    > kdestroy, kutil, etc..
    >
    > The MIT distribution includes an API description (in TEX format if I
    > remember correctly). However, this documentation is incomplete, out
    > of date, and more of a reference than a tutorial. The best
    > documentation is the actual source code. I read the source to kinit
    > and some of the library to learn how to write Kerberos programs.
    >
    > The nice thing about open source software is that if you really want
    > to know how something works, you can look at the source. On the flip
    > side, documentation is often less of a priority, so sometimes you
    > HAVE to look at the source code.


    You also have to be aware that not all of the interfaces in the source
    code are actually recommended for public use. There are quite a few
    deprecated interfaces that are still around for backwards compatibility
    with older programs, but that nonetheless should NOT be used in new
    programs.

    =Wyllys

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: Programming in Kerberos

    Right, but there are also interfaces that are intended for public use
    that can
    only be found by looking at the source. For instance, when I looked at
    the
    source to some of the Kerberos applications in the standard
    distribution, I
    found no one uses krb5_get_in_tkt() or any of its variants anymore.
    Instead,
    applications generally use the newer, but undocumented
    krb5_get_init_creds_password(). Given that many of the commonly used
    functions like krb5_get_init_creds_password are totally undocumented,
    newbies, like me, HAVE to read the source, or risk using an older
    and possibly deprecated interface.


  6. Re: Programming in Kerberos

    brian.joh@comcast.net wrote:

    > Right, but there are also interfaces that are intended for public use
    > that can only be found by looking at the source. For instance, when
    > I looked at the source to some of the Kerberos applications in the
    > standard distribution, I found no one uses krb5_get_in_tkt() or any
    > of its variants anymore. Instead, applications generally use the
    > newer, but undocumented krb5_get_init_creds_password(). Given that
    > many of the commonly used functions like krb5_get_init_creds_password
    > are totally undocumented, newbies, like me, HAVE to read the source,
    > or risk using an older and possibly deprecated interface.



    Ideally, you wouldn't use the KRB5 APIs at all, you would use GSSAPI
    instead - it is standard and portable across implementations and platforms.

    -Wyllys

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. Re: Programming in Kerberos

    Wyllys Ingersoll writes:

    > Ideally, you wouldn't use the KRB5 APIs at all, you would use GSSAPI
    > instead - it is standard and portable across implementations and
    > platforms.


    Hm, is there a way to use GSSAPI to do password verification? It's
    annoying that one has to do this, but alas it's still fairly common to
    have to send a Kerberos username/password pair over a TLS connection to be
    verified on the server. GSSAPI client support is slow to materialize.

    --
    Russ Allbery (rra@stanford.edu)

  8. Re: Programming in Kerberos

    Russ Allbery wrote:

    > Wyllys Ingersoll writes:
    >
    > > Ideally, you wouldn't use the KRB5 APIs at all, you would use
    > > GSSAPI instead - it is standard and portable across implementations
    > > and platforms.

    >
    >
    > Hm, is there a way to use GSSAPI to do password verification? It's
    > annoying that one has to do this, but alas it's still fairly common
    > to have to send a Kerberos username/password pair over a TLS
    > connection to be verified on the server. GSSAPI client support is
    > slow to materialize.
    >


    Unfortunately, not in a standard way. In Solaris, we have implemented
    a "gss_acquire_cred_with_password" function that does what you are asking
    for, but it is not part of other GSSAPI implementations as far as I know.

    There are proposals in the KITTEN WG for extending GSSAPI to do
    things like this in the next spec, though.

    -Wyllys

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  9. Re: Programming in Kerberos - GSSAPI=?utf-8?b?Z3NzX2FjcXVpcmVfY3JlZF93aXRoX3Bhc3N3b3Jk?=

    Wyllys Ingersoll sun.com> writes:

    > Unfortunately, not in a standard way. In Solaris, we have implemented
    > a "gss_acquire_cred_with_password" function that does what you are asking
    > for, but it is not part of other GSSAPI implementations as far as I know.



    Is there a simple tutorial example demonstrating the use of GSSAPI and
    gss_acquire_cred_with_password?



    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread