On Wed, Mar 22, 2017 at 03:48:21PM -0400, Dylan Klomparens wrote: > Hello, > > I'm writing a program that accepts Kerberos authentication using the > GSSAPI. The program acquires credentials using gss_acquire_cred_from() with > a keytab specified, and this is working properly. The keytab has multiple > principals stored in it. I want to output all the principals that were > acquired, so I tried to use gss_inquire_cred() to find out and > gss_display_name() to print them. This allows me to output the first > principal in the keytab, but only the first one. Is there a way to output > all of them? How can I iterate through all the principals acquired from a > single keytab and output their names?
RFC 2743 is pretty clear that a GSS credential handle can represent only a single (named) entity, though it may have credentials for that entity with multiple mechanisms. Since there is only one GSS name associated with the credential; there is no need to iterate. That said, for the case where the kerberos keytab in question is the default location (/etc/krb5.keytab, or what is specified by the KRB5KTNAME environment variable), gss_accept_sec_context() with GSS_C_NO_CREDENTIAL as the acceptor credential handle will automatically search through all identities in the keytab and use any of them, if they match the message from the client. > Once I accept a security context, the program is authenticating correctly, > so it stands to reason that I'm legitimately acquiring multiple credentials > from the same keytab. What you have said here is not enough information to establish your conclusion. How do we know what names the initiators are trying to use to contact the service? -Ben ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
