>Heh, I understand how Kerberos works (or at least, I like to think I do), >but my several aborted attempts to learn GSSAPI have made my brain hurt. >The lack of a plain English introduction/explanation to the API is probably >why Kerberos doesn't have a heck of a lot of application support. >(Anyone else listening here?)
We also have desired a simple authorization server ... sadly, the money dried up for it during the design phase. It would probably look like something John is talking about (the non-SAML version), had we managed to complete it. Regarding Kerberos/GSSAPI programming ... a few years ago I wrote a very heavily commented "Hello, world" client and server programs as an illustration for the Kerberos API. They're available if people are interested (I have been told that they are helpful by others I have shown them to). While I no fan of the GSSAPI, Russ Allbery told me once that if you suck it up and wade through the RFCs, it's actually not too bad. I grudgingly admit that he is correct on that one; once I sat down and started going through the RFC I was able to write a GSS-API program without too much pain. The trick is to read the RIGHT RFCs - the ones you need are RFC 2744 (assuming you're writing it in C) and 2743 (for the generic API concepts). Ignore most of the rest of them. The code I wrote for that project actually is pretty good w.r.t. commenting, if it would be helpful to anyone else. Although ... if I ever find out who is responsible for the mess that is gss_display_status(), I'm going to kick them in the balls. Repeatedly. --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
