views:

219

answers:

1

I thought I wanted to use GSS-API, but now am not so sure, since I'm having a hard time finding good sample code for a trivial client/server pair. Sun has documentation including sample code, but it's written specifically for their GSS API implementation, using a few proprietary functions not in e.g. the GNU GSS-API (and for which it's not immediately clear to me how to re-implement them against the GNU implementation). Plus, it's written in pre-ANSI C, with K&R function declarations and so on (I had no problem converting the declarations, but it did make me think the Sun example code may be so old as to be irrelevant).

Have you used the GSS-API in an application in, say, the last decade? Do you know of some self-contained tutorial with example programs that's worth reading?

Alternatively, maybe I'm on the wrong track and should try SASL instead. The GNU GSS-API author himself suggests as much.

For what it's worth, I'm using GCC on Linux, and have Kerberos set up already for other purposes.

+3  A: 

Yes, you should absolutely be using SASL instead of GSSAPI. It is a much better supported protocol, and the libraries are pretty good. At the very least, you can think of it as a sanity-improving wrapper over GSSAPI, since that is one of the typical plugins implemented for SASL. The only reason you should consider using GSSAPI directly is to implement a SASL library. But don't do that. :)

SASL also has wide use. It is specified as part of IMAP and XMPP.

Are you implementing some custom protocol over TCP?

Adam Goode
I already have a custom protocol over TCP (and other transports). I'd like to add authentication to it.
John Zwinck
Yes, SASL will work ok for this. You just need to define some mechanism in your protocol to exchange the SASL info, and you're set. Note that SASL doesn't really provide encryption, typically you do TLS first, then SASL.
Adam Goode