In MIT Kerberos 1.7, you can use gss_inquire_sec_context_by_oid(GSS_C_INQ_SSPI_SESSION_KEY).
-- Luke On 24/02/2009, at 4:59 PM, Thomas Maslen wrote: > On Feb 23, 2009, at 04:39, Speedo wrote: >> I guess this issue had been discussed before: WS-Security negotiates >> with Kerberos 5 but uses the session key in a different way from GSS >> tokens. Since GSS-API is the public API to access Kerberos 5, is >> there >> any recent progress in enhancing the GSS-API to provide a function >> like gss_get_session_key()? > > Yes, we bumped up against this with our Java implementation of > Kerberos, > GSSAPI, etc. > > Since we have our own implementation (c.f. the ones that Sun and IBM > ship > in their respective JDKs), I added a home-grown API[*] to extract > the session > key from the GSSContext once the context is established, precisely to > support the WS-Security Kerberos Token Profile. > > But if that isn't an option... the initial context token for the > Kerberos 5 > GSSAPI mechanism is essentially just an AP-REQ with a bit of GSSAPI > framing prepended, so perhaps you can strip off the GSSAPI cruft > (including the non-ASN.1 bytes), leaving you with the AP-REQ, and > you probably have lots of tasty APIs to process that and then give you > the session key? ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
