Hello, I am writing a program that uses Kerberos. The program is intended to be used by a service to verify client's identities. MIT's developer documentation recommends "the GSSAPI ... for secure network communication over using the libkrb5 API directly." This lead me to use the function gss_accept_sec_context to verify credentials. I would like my program to be as robust as possible, and output any error codes in an understandable way. The gss_accept_sec_context function has a "major" error code (it's return value) and a "minor" error code to convey Kerberos specific errors. I am able to find plenty of documentation on the major error code. However, I am unable to find a list of Kerberos specific error codes within GSSAPI. Does anyone know where this might be documented? If it's not documented, I will be happy to write the documentation and submit a pull request on Github.
My other question is, why does MIT recommend using GSSAPI over the libkrb5 API directly? From a design perspective, I'd like to minimize the number of dependencies that my program has. By minimizing dependencies, complexity and potential attack surface (for application security) is reduced for my program. If my requirement is that I only need to verify service tickets from clients, am I better off using libkrb5 directly? Thanks, -- Dylan Klomparens ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
