Questions about kerberos authentication

My openfire’s version is 3.4.1. And i set up the kerberos and config the openfire correctly.

Below is the pidgin’s output. I mark the important what i think in red color.

(10:34:03) jabber: Sending: <?xml version=‘1.0’ ?>

           (10:34:03) jabber: Sending: &lt;stream:stream to='verdant.prc.sun.com' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'&gt;

           (10:34:03) jabber: Recv (192): &lt;?xml version='1.0' encoding='UTF-8'?&gt;&lt;stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="verdant.prc.sun.com" id="b7fdee49" xml:lang="en" version="1.0"&gt;

           (10:34:03) jabber: Recv (391): &lt;stream:features&gt;&lt;starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"&gt;&lt;/starttls&gt;&lt;mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"&gt;&lt;mechanism&gt;GSSAPI&lt;/mechani sm&gt;&lt;/mechanisms&gt;&lt;compression xmlns="http://jabber.org/features/compress"&gt;&lt;method&gt;zlib&lt;/method&gt;&lt;/compression&gt;&lt;auth xmlns="http://jabber.org/features/iq-auth"/&gt;&lt;register xmlns="http://jabber.org/features/iq-register"/&gt;&lt;/stream:features&gt;

(10:34:03) jabber: Sending: <starttls xmlns=‘urn:ietf:params:xml:ns:xmpp-tls’/>

(10:34:03) jabber: Recv (50): <proceed xmlns=“urn:ietf:params:xml:ns:xmpp-tls”/>

           (10:34:03) jabber: Sending (ssl): &lt;stream:stream to='verdant.prc.sun.com' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'&gt;

           (10:34:03) jabber: Recv (ssl)(522): &lt;?xml version='1.0' encoding='UTF-8'?&gt;&lt;stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="verdant.prc.sun.com" id="b7fdee49" xml:lang="en" version="1.0"&gt;&lt;stream:features&gt;&lt;mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"&gt;&lt;mechanism&gt;GSSAPI&lt;/mechani sm&gt;&lt;/mechanisms&gt;&lt;compression xmlns="http://jabber.org/features/compress"&gt;&lt;method&gt;zlib&lt;/method&gt;&lt;/compression&gt;&lt;auth xmlns="http://jabber.org/features/iq-auth"/&gt;&lt;register xmlns="http://jabber.org/features/iq-register"/&gt;&lt;/stream:features&gt;

(10:34:03) sasl: Mechs found: GSSAPI

(10:34:03) jabber: Sending (ssl): <auth xmlns=‘urn:ietf:params:xml:ns:xmpp-sasl’ mechanism=‘GSSAPI’>YIICDwYJKoZIhvcSAQICAQBuggHMIIBqADAgEFoQMCAQ6iBwMFACAAAACjggEWYYIBEjCCAQ6gAwIBBaENGwtCSkZVLkVEVS5DTqImMCSgAwIBA 6EdMBsbBHhtcHAbE3ZlcmRhbnQucHJjLnN1bi5jb22jgc8wgcygAwIBEKEDAgEDooG/BIG8y0IIVBexs 7TzrmGX5EJi0jtsk76p4eF7sXwECTPy8f3YLwX2cXjrImqccdd4qinhREFRJDjDWTqBUmGvEDDOrCix9SsC6VA8W1AzxrTBuSHNV05stbaQzA6RbdUo0Q3YG/ilBIPsm3I8 QGmMkITXn3ZCEuwlQ1Z7sQ9gSAbg61FB2lWhaSyE5qz35cHqd/ZpNDJVnqNa2U0NXTw5bVdMmETAdLH/ dQZ54FS8bWknUYJNOTEnORvltCYmkgcowgcegAwIBEKKBvwSBvNouDBWl14te/19B5bkx4pi7K59NpqxbTguxRK9KxaLIwMJ6Pk75dB7zKksxDe5aVGpkZKdBwMFh7taReSPwzV05Lo7FC9ese7XmxrYOtItA5QBkfpT9c1uneoYootYPHgk2f1WuHD49S6TqXZMgKd/SYUxsIVuOxlrgKqDbTDLOSdJokeCTVQG48wXSDr/AWKhO7xoarJ4umdDea6vzrTupX5mjxslbcZDRkaq+T7JPl4Zsl3HM8</auth>

(10:34:04) jabber: Recv (ssl)(212): <challenge xmlns=“urn:ietf:params:xml:ns:xmpp-sasl”>YGwGCSqGSIb3EgECAgIAb10wW6ADAgEFoQMCAQiTzBNoAMCARCiRgREZzp5x56lhKT5w93vOKQMQvcgmZ05CVsc1Ami04uSWBkMkteSoU/6YbH4X2lChRB/65HCxsZhYUev5O8nkewMgTko=</challenge>

(10:34:04) jabber: Sending (ssl): <response xmlns=‘urn:ietf:params:xml:ns:xmpp-sasl’/>

(10:34:04) jabber: Recv (ssl)(152): <challenge xmlns=“urn:ietf:params:xml:ns:xmpp-sasl”>YD8GCSqGSIb3EgECAgIBBAD/////VZWA4SX zkBIrwDpdc5urCoeQT5VOPThM6uyL4Vh9Hpgy+kZoAQEAAAQEBAQ=</challenge>

(10:34:04) jabber: Sending (ssl): <response xmlns=‘urn:ietf:params:xml:ns:xmpp-sasl’>YD8GCSqGSIb3EgECAgIBBAD/////7jj63AL*gedFVW4/*EJqFki7IlylsaGMmm+O9GRymOkc4tXOAQAAAAQEBAQ=</response>

(10:34:04) jabber: Recv (ssl)(51): <success xmlns=“urn:ietf:params:xml:ns:xmpp-sasl”/>

           (10:34:04) jabber: Sending (ssl): &lt;stream:stream to='verdant.prc.sun.com' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'&gt;

           (10:34:04) jabber: Recv (ssl)(421): &lt;?xml version='1.0' encoding='UTF-8'?&gt;&lt;stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="verdant.prc.sun.com" id="b7fdee49" xml:lang="en" version="1.0"&gt;&lt;stream:features&gt;&lt;compression xmlns="http://jabber.org/features/compress"&gt;&lt;method&gt;zlib&lt;/method&gt;&lt;/compression&gt;&lt;bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"/&gt;&lt;session xmlns="urn:ietf:params:xml:ns:xmpp-session"/&gt;&lt;/stream:features&gt;

(10:34:04) jabber: Sending (ssl): <iq type=‘set’ id=‘purple7fb50bd5’><bind xmlns=‘urn:ietf:params:xml:ns:xmpp-bind’><resource>Home</resource&g t;</bind></iq>

           (10:34:04) jabber: Recv (ssl)(172): &lt;iq type="result" id="purple7fb50bd5" to="verdant.prc.sun.com/b7fdee49"&gt;&lt;bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"&gt;&lt;jid&gt;test1@verdant.prc.sun.com/Home&lt;/jid&gt;&lt;/bind&gt;&lt;/iq&gt;

(10:34:04) jabber: Sending (ssl): <iq type=‘set’ id=‘purple7fb50bd6’><session xmlns=‘urn:ietf:params:xml:ns:xmpp-session’/></iq>

           (10:34:04) jabber: Recv (ssl)(133): &lt;iq type="result" id="purple7fb50bd6" to="test1@verdant.prc.sun.com/Home"&gt;&lt;session xmlns="urn:ietf:params:xml:ns:xmpp-session"/&gt;&lt;/iq&gt;

(10:34:04) jabber: jabber_actions: have pep: NO

(10:34:04) connection: Activating keepalive.

           (10:34:04) jabber: Sending (ssl): &lt;iq type='get' id='purple7fb50bd7' to='verdant.prc.sun.com'&gt;&lt;query xmlns='http://jabber.org/protocol/disco#items'/></iq>

           (10:34:04) jabber: Sending (ssl): &lt;iq type='get' id='purple7fb50bd8' to='verdant.prc.sun.com'&gt;&lt;query xmlns='http://jabber.org/protocol/disco#info'/></iq>

           (10:34:04) jabber: Recv (ssl)(440): &lt;iq type="result" id="purple7fb50bd7" from="verdant.prc.sun.com" to="test1@verdant.prc.sun.com/Home"&gt;&lt;query xmlns="http://jabber.org/protocol/disco#items"&gt;&lt;item jid="pubsub.verdant.prc.sun.com" name="Publish-Subscribe service"/&gt;&lt;item jid="proxy.verdant.prc.sun.com" name="Socks 5 Bytestreams Proxy"/&gt;&lt;item jid="conference.verdant.prc.sun.com" name="Public Chatrooms"/&gt;&lt;item jid="search.verdant.prc.sun.com" name="User Search"/&gt;&lt;/query&gt;&lt;/iq&gt;

           (10:34:04) jabber: Sending (ssl): &lt;iq type='get' id='purple7fb50bd9' to='pubsub.verdant.prc.sun.com'&gt;&lt;query xmlns='http://jabber.org/protocol/disco#info'/></iq>

           (10:34:04) jabber: Sending (ssl): &lt;iq type='get' id='purple7fb50bda' to='proxy.verdant.prc.sun.com'&gt;&lt;query xmlns='http://jabber.org/protocol/disco#info'/></iq>

           (10:34:04) jabber: Sending (ssl): &lt;iq type='get' id='purple7fb50bdb' to='conference.verdant.prc.sun.com'&gt;&lt;query xmlns='http://jabber.org/protocol/disco#info'/></iq>

           (10:34:04) jabber: Sending (ssl): &lt;iq type='get' id='purple7fb50bdc' to='search.verdant.prc.sun.com'&gt;&lt;query xmlns='http://jabber.org/protocol/disco#info'/></iq>

           (10:34:04) jabber: Recv (ssl)(2645): &lt;iq type="result" id="purple7fb50bd8" from="verdant.prc.sun.com" to="test1@verdant.prc.sun.com/Home"&gt;&lt;query xmlns="http://jabber.org/protocol/disco#info"&gt;&lt;identity category="server" name="Openfire Server" type="im"/&gt;&lt;identity category="pubsub" type="pep"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#manage-subscriptions"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#modify-affiliations"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#retrieve-default"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#collections"/&gt;&lt;feature var="jabber:iq:private"/&gt;&lt;feature var="http://jabber.org/protocol/disco#items"/&gt;&lt;feature var="vcard-temp"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#publish"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#subscribe"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#retract-items"/&gt;&lt;feature var="http://jabber.org/protocol/offline"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#meta-data"/&gt;&lt;feature var="jabber:iq:register"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#retrieve-subscriptions"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#default_access_model_open"/&gt;&lt;feature var="jabber:iq:roster"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#config-node"/&gt;&lt;feature var="http://jabber.org/protocol/address"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#publisher-affiliation"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#item-ids"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#instant-nodes"/&gt;&lt;feature var="http://jabber.org/protocol/commands"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#multi-subscribe"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#outcast-affiliation"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#get-pending"/&gt;&lt;feature var="google:jingleinfo"/&gt;&lt;feature var="jabber:iq:privacy"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#subscription-options"/&gt;&lt;feature var="jabber:iq:last"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#create-and-configure"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#retrieve-items"/&gt;&lt;feature var="jabber:iq:time"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#create-nodes"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#persistent-items"/&gt;&lt;feature var="jabber:iq:version"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#presence-notifications"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#retrieve-affiliations"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#delete-nodes"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#purge-nodes"/&gt;&lt;feature var="http://jabber.org/protocol/disco#info"/&gt;&lt;feature var="http://jabber.org/protocol/rsm"/&gt;&lt;/query&gt;&lt;/iq&gt;

(10:34:04) jabber: Sending (ssl): <iq type=‘get’ id=‘purple7fb50bdd’><query xmlns=‘vcard-temp’/></iq>

(10:34:04) jabber: Sending (ssl): <iq type=‘get’ id=‘purple7fb50bde’><query xmlns=‘jabber:iq:roster’/></iq>

(10:34:04) jabber: attempt to send presence before roster retrieved

           (10:34:04) jabber: Sending (ssl): &lt;iq type='get' id='purple7fb50bdf' to='verdant.prc.sun.com'&gt;&lt;query xmlns='http://jabber.org/protocol/disco#items' node='http://jabber.org/protocol/commands'/></iq>

           (10:34:04) jabber: Recv (ssl)(2078): &lt;iq type="result" id="purple7fb50bd9" from="pubsub.verdant.prc.sun.com" to="test1@verdant.prc.sun.com/Home"&gt;&lt;query xmlns="http://jabber.org/protocol/disco#info"&gt;&lt;identity category="pubsub" name="Publish-Subscribe service" type="service"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#collections"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#config-node"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#create-and-configure"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#create-nodes"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#delete-nodes"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#get-pending"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#instant-nodes"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#item-ids"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#meta-data"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#modify-affiliations"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#manage-subscriptions"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#multi-subscribe"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#outcast-affiliation"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#persistent-items"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#presence-notifications"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#publish"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#publisher-affiliation"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#purge-nodes"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#retract-items"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#retrieve-affiliations"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#retrieve-default"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#retrieve-items"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#retrieve-subscriptions"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#subscribe"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#subscription-options"/&gt;&lt;feature var="http://jabber.org/protocol/pubsub#default_access_model_open"/&gt;&lt;feature var="http://jabber.org/protocol/disco#info"/&gt;&lt;/query&gt;&lt;/iq&gt;

           (10:34:04) jabber: Recv (ssl)(363): &lt;iq type="result" id="purple7fb50bda" from="proxy.verdant.prc.sun.com" to="test1@verdant.prc.sun.com/Home"&gt;&lt;query xmlns="http://jabber.org/protocol/disco#info"&gt;&lt;identity category="proxy" name="SOCKS5 Bytestreams Service" type="bytestreams"/&gt;&lt;feature var="http://jabber.org/protocol/bytestreams"/&gt;&lt;feature var="http://jabber.org/protocol/disco#info"/&gt;&lt;/query&gt;&lt;/iq&gt;

           (10:34:04) jabber: Recv (ssl)(561): &lt;iq type="result" id="purple7fb50bdb" from="conference.verdant.prc.sun.com" to="test1@verdant.prc.sun.com/Home"&gt;&lt;query xmlns="http://jabber.org/protocol/disco#info"&gt;&lt;identity category="conference" name="Public Chatrooms" type="text"/&gt;&lt;identity category="directory" name="Public Chatroom Search" type="chatroom"/&gt;&lt;feature var="http://jabber.org/protocol/muc"/&gt;&lt;feature var="http://jabber.org/protocol/disco#info"/&gt;&lt;feature var="http://jabber.org/protocol/disco#items"/&gt;&lt;feature var="jabber:iq:search"/&gt;&lt;feature var="http://jabber.org/protocol/rsm"/&gt;&lt;/query&gt;&lt;/iq&gt;

           (10:34:04) jabber: Recv (ssl)(371): &lt;iq type="result" id="purple7fb50bdc" from="search.verdant.prc.sun.com" to="test1@verdant.prc.sun.com/Home"&gt;&lt;query xmlns="http://jabber.org/protocol/disco#info"&gt;&lt;identity category="directory" type="user" name="User Search"/&gt;&lt;feature var="jabber:iq:search"/&gt;&lt;feature var="http://jabber.org/protocol/disco#info"/&gt;&lt;feature var="http://jabber.org/protocol/rsm"/&gt;&lt;/query&gt;&lt;/iq&gt;

           (10:34:04) jabber: Recv (ssl)(106): &lt;iq type="result" id="purple7fb50bdd" to="test1@verdant.prc.sun.com/Home"&gt;&lt;vCard xmlns="vcard-temp"/&gt;&lt;/iq&gt;

           (10:34:04) jabber: Recv (ssl)(219): &lt;iq type="result" id="purple7fb50bde" to="test1@verdant.prc.sun.com/Home"&gt;&lt;query xmlns="jabber:iq:roster"&gt;&lt;item jid="test2@verdant.prc.sun.com" name="test2" subscription="both"&gt;&lt;group&gt;Buddies&lt;/group&gt;&lt;/item&gt;&lt;/quer y&gt;&lt;/iq&gt;

           (10:34:04) jabber: Sending (ssl): &lt;presence&gt;&lt;priority&gt;1&lt;/priority&gt;&lt;c xmlns='http://jabber.org/protocol/caps' node='http://pidgin.im/caps' ver='2.2.2-1.fc8' ext='mood moodn nick nickn tune tunen avatarmeta avatardata avatar'/&gt;&lt;/presence&gt;

           (10:34:04) jabber: Sending (ssl): &lt;iq type='set' id='purple7fb50be0'&gt;&lt;pubsub xmlns='http://jabber.org/protocol/pubsub'><publish node='http://jabber.org/protocol/tune'><item><tune xmlns='http://jabber.org/protocol/tune'><length>0</length></tune></item></publish></pub sub></iq>

           (10:34:04) jabber: Recv (ssl)(204): &lt;iq type="result" id="purple7fb50bdf" from="verdant.prc.sun.com" to="test1@verdant.prc.sun.com/Home"&gt;&lt;query xmlns="http://jabber.org/protocol/disco#items" node="http://jabber.org/protocol/commands"/&gt;&lt;/iq&gt;

           (10:34:05) jabber: Recv (ssl)(563): &lt;message to="test1@verdant.prc.sun.com/Home" from="test2@verdant.prc.sun.com" id="test2@verdant.prc.sun.com__test1@verdant.prc.sun.com__722cc"&gt;&lt;event xmlns="http://jabber.org/protocol/pubsub#event"&gt;&lt;items node="http://jabber.org/protocol/tune"&gt;&lt;item id="EhnCh3bxqihgRjC"&gt;&lt;tune xmlns="http://jabber.org/protocol/tune"&gt;&lt;length&gt;0&lt;/length&gt;&lt;/tune&gt;&lt;/item&gt;&lt;/items&gt;&lt;/ event&gt;&lt;x xmlns="jabber:x:delay" stamp="2007-11-25T06:04:28.355Z"/&gt;&lt;addresses xmlns="http://jabber.org/protocol/address"&gt;&lt;address type="replyto" jid="test2@verdant.prc.sun.com/Home"/&gt;&lt;/addresses&gt;&lt;/message&gt;

           (10:34:05) jabber: Recv (ssl)(75): &lt;iq type="result" id="purple7fb50be0" to="test1@verdant.prc.sun.com/Home"/&gt;

(10:34:05) jabber: jabber_iq_parse

           (10:34:05) jabber: Recv (ssl)(376): &lt;message to="test1@verdant.prc.sun.com" from="test1@verdant.prc.sun.com" id="http://jabber.org/protocol/tune__test1@verdant.prc.sun.com__1C1h5"&gt;&lt;event xmlns="http://jabber.org/protocol/pubsub#event"&gt;&lt;items node="http://jabber.org/protocol/tune"&gt;&lt;item id="76Op67UX5069HgI"&gt;&lt;tune xmlns="http://jabber.org/protocol/tune"&gt;&lt;length&gt;0&lt;/length&gt;&lt;/tune&gt;&lt;/item&gt;&lt;/items&gt;&lt;/ event&gt;&lt;/message&gt;

i want to decode what i marked, but i don’t know how?

Any help would be appreciated.

Thanks in advance!
openfire_i18n.patch (558 Bytes)

The part you have highlighted is a binary GSSAPI token that was wrapped up in BASE64. You can read RFC2744 for the details of the token: http://www.faqs.org/rfcs/rfc2744.html

Thanks for your response!

After roughly reading the RFC 2744, i have one below question now.

I can acquire a service ticket after i have an initial ticket(credential in gssapi) via function gss_init_sec_context and a token needed to deliver to the serivce

server(responder in gssapi). However in xmpp protocol, we transfer everything in xml stream. So i don’t know which xml node or attribute is responsible for

this. Is <auth …> node ? Could you give me a simple guide to shed light on this problem?

BTW, i don’t know the relationship between establish a joint security context and challenge-response pair in xmpp protocol.

I guess the challenge-response pair is the process of exchanging the token between the client and sever to establish the joint security context.

Am i right?

I’m hearing from you!

Thanks in advance!

Are you just doing research on the subject? Or are you planning on implementing some client? If you are just looking to understand it, I have more RFC’s for you

http://www.faqs.org/rfcs/rfc2222.html (SASL)

http://www.faqs.org/rfcs/rfc4752.html (The GSSAPI SASL Mechanism)

http://www.faqs.org/rfcs/rfc2743.html (GSSAPI, more general)

http://www.faqs.org/rfcs/rfc2078.html (GSSAPI, older versionl)

There isnt really a “simple” guide to this, since its a fairly complex topic. But, I would say RFC4752 does a good job of explaining GSSAPI in a SASL context. But that does assume you understand GSSAPI and SASL.

So in more laymans terms:

The authentication tokens are just passed as base64 encoded elements in xml. So the first token (from the client) goes with the element untill both parties are done- and either success or failure is determined.

Does that help?

First, thank you very much for your enthusiastic help!

Second, i want to write a simple client to communicate with openfire to learn the process the authentication with kerberos.

I need the confirmation:You mean establish a joint security context in GSSAPI are the same the challenge-response pair in xmpp protocol, am i right?

If you can provide me some code snippet to demonstrate it, that’s great!

Thanks!

What do you want to write your client in? Most of the time you dont need to worry too much about the details of GSSAPI, since there are libraries you can use. Java has them, of course. If you plan on writing in C, Linux and Windows have libraries available so you dont need to concern yourself with too many details; just use Cyrus SASL and it should be ok. If you need more specific help on Kerberos and GSSAPI, you might have better luck on the MIT Kerberos mailing list: http://web.mit.edu/kerberos/mail-lists.html

You mean i can use cyrus SASL library to communicate with openfire server directly to avoid too much details of GSSAPI?

If i use the sasl library , i can easily get the tokens that written in <auth> element to communicate to openfire?

Thanks!