在我看来，您正在尝试重新实现kerberos.在我看来，您想让GSSAPI保护客户端和服务器之间的传输；因此您的客户端需要向服务器进行身份验证.

seems to me in a round about way, you are trying to re-implement kerberos. Seems to me that you want to GSSAPI secure the transport between client and server; so your client needs to authenticate to the server.

典型的方法是使用密钥表"kinit"给主妇，然后将该证书传递给服务器. Kerberos确保它相当难以伪造.

Typical way of doing this would be to 'kinit' to a prinicpal using a keytab, and then passing this credential to the server. Kerberos ensures that it's reasonably hard to fake.

这可能会比您上面描述的方法脆弱一些.

that's probably going to be a little less brittle than the method that you describe above.

-王牌