Validating a kerberos service ticket using gss-api

Question

I want to make a program to do traffic authorization using gss-api/kerberos. So far i can contact a SSOS and get a service ticket. If the user does not have a TGT i am doing something similar to kinit in my code.

My code ends with the user having both TGT and service ticket in its cache. The following method will read the token sent by the server.

majorStatus = gss_unwrap (&minorStatus, 
                              inContext, 
                              &inputBuffer, 
                              &outputBuffer, 
                              &encrypted, 
                              NULL;

Right now the outputBuffer is empy. I mean, i am not passing anything myself. Should i be?

I want to contact another server(the service) who will check my ticket and if valid allow me to send traffic through him.

Using GSSAPI how do i validade such thing? I am aware of methods such as wrap/unwrap. Where is the service session key stored in the client? After i receive the ticket in the service server how do i validate it?

I am sorry if i am mixing up some concepts but it's the first time i am working with such a complex API.

Thanks in advance...

Answer 1

I want to contact another server(the service) who will check my ticket and if valid allow me to send traffic through him.

You use the GSS-API functions init_security_context (on the client side) and accept_security_context() on the service side. Refer to http://web.mit.edu/kerberos/krb5-devel/doc/appdev/gssapi.html for information and maybe check some examples online ( http://docs.oracle.com/cd/E19683-01/816-1331/sampleprogs-1/index.html )

With GSS you don't actually touch the tickets. Using these functions, you can establish a secure connection between the client and the service (the functions use the tickets, ofc) and you can proceed from then on.