[31738] in Kerberos
How to get a GSSAPI context from a KRB5 credentials cache
daemon@ATHENA.MIT.EDU (beheer@topdesk.com)
Tue Dec 1 12:53:13 2009
From: beheer@topdesk.com
To: "=?windows-1252?Q?kerberos=40mit.edu?=" <kerberos@mit.edu>
Date: Tue, 1 Dec 2009 18:52:30 +0100
Mime-Version: 1.0
Message-Id: <vmime.4b1557de.36c6.3f8984b05d663ed0@mona.topdesk.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
I'm trying to modify Apache2-2.2.9 "mod_proxy_http" on Debian Lenny to send an "Authorization: Negotiate [base64_token]" header to a backend server in behalf of the user, but I have some problems generating the GSSAPI token.
As part of the authentication process, I use "mod_webauth", which creates a credentials cache in KRB5CCNAME=/var/lib/webauth/cred_cache/temp.krb5.xxxxxx with the correct credentials. What I want is to initialize a GSSAPI security context from this file, but I don't know how. I've looked around, and I can successfully create a Kerberos 5 context, but then I don't know how to transform this into GSSAPI:
ccache_name = apr_table_get(r->subprocess_env, "KRB5CCNAME");
if ( ccache_name == NULL) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"proxy: krb5_auth_headers: no KRB5CCNAME found");
} else {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"proxy: krb5_auth_headers: KRB5CCNAME %s found", ccache_name);
/* Initialize Kerberos context and read credentials cache */
ret_krb5 = krb5_init_context(&ctx);
if (ret_krb5 != 0 )
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"proxy: krb5_auth_headers: error initializing krb5 context");
ret_krb5 = krb5_cc_resolve(ctx, ccache_name, &temp_ccache);
if (ret_krb5 != 0 )
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"proxy: krb5_auth_headers: KRB5CCNAME %s could not be resolved", ccache_name);
I would like to "somehow" transform the following Perl code into C:
/*
my $ctx = GSSAPI::Context->new();
my $imech = GSSAPI::OID::gss_mech_krb5;
my $iflags = 0 ;
my $bindings = GSS_C_NO_CHANNEL_BINDINGS;
my $creds = GSS_C_NO_CREDENTIAL;
my $itime = 0;
my $itoken = q{};
my $otoken;
$status = $ctx->init($creds,$target,
$imech,$iflags,$itime,$bindings,$itoken,
undef, $otoken,undef,undef) or last;
$status = $ctx->valid_time_left($ttl) or last;
print "\n Security context's time to live $ttl secs";
print "\n Negotiate ".encode_base64($otoken,"");
*/
However, how can I tell GSSAPI to use the credentials cache I just opened? I tried "gss_krb5_acquire_cred_cache" and "gss_export_cred", but they are not available in libgssapi-krb5-2 on my Debian installation. I also looked in Heimdal package, but no luck. :(
Could you please give me an orientation on what to do? Thank you very much!
Kind regards,
--
Xesc
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
