[20220] in Kerberos_V5_Development
Re: Getting ticket from the KDC in C
daemon@ATHENA.MIT.EDU (Dean Dln)
Thu Jan 7 10:19:12 2021
MIME-Version: 1.0
In-Reply-To: <em3539fb23-51d3-458e-a7d4-1b61e5e8809b@checker-blade15>
From: Dean Dln <constantinedalianis@gmail.com>
Date: Thu, 7 Jan 2021 17:18:24 +0200
Message-ID: <CAECsUzaFHpahdOs0sCC_j=hj3arTD0hqxkOcuunR29A9+Cbkvg@mail.gmail.com>
To: Chris Hecker <checker@d6.com>
Cc: kenh@cmf.nrl.navy.mil, "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Dear Chris and Ken,
Thank you both for your replies. They helped a lot.
I work for CERN and we are using Kerberos for user authentication purposes.
I managed to get a service ticket using `gss_init_sec_context` from GSSAPI.
Best regards,
Dean
On Wed, 6 Jan 2021 at 21:48, Chris Hecker <checker@d6.com> wrote:
>
> Have you compiled and run the samples in the source distribution (in
> src/appl in my version)? There are two different client/server samples
> and a user to user sample. Those should at least get you started
> (they're how I got started with the krb5 c api). Also, the klist and
> kvno sources show how to decode tickets and whatnot, if you need to do
> that.
>
> Chris
>
>
> ------ Original Message ------
> From: "Dean Dln" <constantinedalianis@gmail.com>
> To: krbdev@mit.edu
> Sent: 2021-01-06 00:06:41
> Subject: Getting ticket from the KDC in C
>
> >Dear all,
> >
> >I would like to ask for some tips on how to get a ticket from the Key
> >Distribution Center (KDC) using the MIT krb5 API in C/C++?
> >
> >I already have a working Java Client which uses GSS-API to obtain a ticket
> >from the KDC (using a local TGT) and forwards it to a Java Server.
> >
> >The server accepts the security context using the following logic:
> >
> >private GSSContext acceptSecurityContext(Subject serverSubject, final
> >byte[] kerberosServiceTicket) {
> > return Subject.doAs(serverSubject, (PrivilegedAction<GSSContext>) () ->
> {
> > GSSContext gssContext;
> > try {
> > gssContext = manager.createContext((GSSCredential) null);
> > } catch (GSSException ex) {
> > LOGGER.warn("Could not create Kerberos gssContext: " +
> >ex.getMessage(), ex);
> > return null;
> > }
> > try {
> > gssContext.acceptSecContext(kerberosServiceTicket, 0,
> >kerberosServiceTicket.length);
> > } catch (GSSException ex) {
> > LOGGER.warn("Could not accept security context: " +
> >ex.getMessage(), ex);
> > return null;
> > }
> > return gssContext;
> > });
> >}
> >
> >I am trying to implement a C client - similar to the Java one - using MIT
> >krb5 API and I can't seem to make it work. So far this is my C client
> code:
> >
> > krb5_context context;
> > krb5_ccache ccache;
> > krb5_creds *outCreds = NULL;
> > krb5_creds inCreds;
> > int retval;
> > char *principal = "...";
> >
> > retval = krb5_init_secure_context(&context);
> > ...
> >
> > retval = krb5_cc_default(context, &ccache);
> > ...
> >
> > memset(&inCreds, 0, sizeof(inCreds));
> > retval = krb5_parse_name(context, principal, &inCreds.server);
> > ...
> >
> > retval = krb5_cc_get_principal(context, ccache, &inCreds.client);
> > ...
> >
> > retval = krb5_get_credentials(context, 0, ccache, &inCreds,
> &outCreds);
> > ...
> >
> > // also tried using the following:
> krb5Ticket->enc_part.ciphertext.data
> > // (maybe this is the correct way, but I should somehow decrypt it
> and
> >use krb5Ticket->enc_part2 ?)
> > // retval = krb5_decode_ticket(&outCreds->ticket, &krb5Ticket);
> > // ...
> >
> > char *base64KerberosTicket = base64_encode(outCreds->ticket.data,
> >strlen(outCreds->ticket.data));
> >
> > char *response = loginKerberos(base64KerberosTicket);
> > ...
> >
> >Thank you in advance.
> >
> >Best regards,
> >Dean
> >_______________________________________________
> >krbdev mailing list krbdev@mit.edu
> >https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
