kerberizing with GSASL? GSSAPI and GS2-KRB5 key handling features

[Roman]

Hi Simon,

we're planning to kerberize an application and I would really appreciate
your advice on the question if we should implement it with GSASL or
GSS-API or something else.

Given the following szenario:

Client APP (running on Win7, ADS) --> Server-APP running on Linux-Server

Windows client-APP is developed under Linux and compiled on MinGW/Debian
(so gsasl+kfw would fit). Client-server-app is already using GnuTLS and
cert based auth.
The goal is to enhance it to support auth via KRB5 (+ additional
kerberos ticket handling features).


My understanding is, that GSSAPI allows "full" kerberization, while
GSASL is a more generic implementation with focus on authentication that
also implements *some* GSSAPI features. Is this right?

Assuming that, the following questions remains:

1. OpenSSH has a config option to "# Forward (delegate) credentials
(tickets) to the server":
    GSSAPIDelegateCredentials yes
Does the GSASL implementations of the mechanisms GS2-KRB5 and/or GSSAPI
also allow to delegate "forwardable" and "proxiable" tickets in addition
to ticket for the requested service?

2. OpenSSH can be combined with pam-krb5. Do you have a server side
example code that would allow to use pam for authentication decision?

3. Does the GSASL implementation allows the server side to store the
transferred ticket(s) in the users krb5_ccache file? Can anyone provide
a server side example code?

4. Does GS2-KRB5 supports channel bundling for a complete separated
connection/protocol?
    (This is an optional requirement that could be interesting in an
future step)

Thank you very much
Roman