[krbdev.mit.edu #2210] GSSAPI accept_sec_context() sets INTEG andCONF flags producing inconsistent state with cleint
Jeffrey Altman
jaltman at columbia.edu
Fri Feb 6 12:42:06 EST 2004
The flags are what the client is capable of; not what the client wants.
If the flags are not set by the client and the server uses the
functionality
anyway you will lose.
Douglas E. Engert wrote:
>
>The flags might be what the client appl wants, but the SSPI might be
>actually doing both because it only has an enctype that does both.
>
>So the protection on the packets may be more then the client requested.
>So should the acceptor appl be told what the user requested, or what is
>actually being used?
>
>
>Jeffrey Altman via RT wrote:
>
>>Microsoft reports that their Kerberos SSPI code is incompatible with MIT
>>GSSAPI when INTEG or CONF modes are used independent of one another.
>>1964 states that the INTEG and CONF flags are to indicate the
>>availability of the modes in the client. They are not to be set by the
>>server.
>>
>>MIT's clients always set both flags which is fine, but we must be
>>prepared to accept security contexts which only set one of them.
>>
>>_______________________________________________
>>krb5-bugs mailing list
>>krb5-bugs at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/krb5-bugs
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/krb5-bugs/attachments/20040206/853b46d3/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3427 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krb5-bugs/attachments/20040206/853b46d3/attachment.bin
More information about the krb5-bugs
mailing list