How do I interact with a kerberos server from my own application

Question

My network has a kerberos server for username/password authentication. Machines that run my application have functioning kerberos clients, so users can use kinit, etc.

How do I interact with the server programatically, from my own custom applications? The preferred language for an example is C.

I want users of my application to authenticate against a kerberos server before access to certain functions. I anticipate having to ask them for their username and password - kinit may not have been called.

The machines hosting the applications run OS X and Debian/Linux.

I believe the answer might well involve GSSAPI. If so, are there good tutorials for this?

Answer 1

GSSAPI is indeed the recommended approach, but the precise details will depend on your language environment and whether you need interop with Windows. Is your kerberos provider Windows or something else?

On Windows, Kerberos is a native protocol supported by the OS, and many high level Win32 APIs will effectively give you it for free. Making it interop with a non Windows kerberos server is possible but not trivial.

On UNIX, you may first need to install kerberos client support and get that working - but if your network already has a kerberos server, this may have been done for you already.

Windows includes an implementation of GSSAPI as does Java, and most UNIX flavors have an implementation. I believe GSSAPI addons are available for PHP also.

If you can add more specifics on your requirements I can firm this answer up a bit.

Answer 2

Sun covers this in their book Solaris Security for Developers Guide. Specifically helpful to you will probably be Appendix A - Sample C-based GSSAPI programs and Chapter 5 - GSS-API Client Example.

Good luck. :-)

Answer 3

Have a look at Heimdal, they have an extensive kerberos API, and the site below has a great doxygen install that describes the API.

http://www.h5l.org