[krbdev.mit.edu #8217] git commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Fri Jul 17 23:37:30 EDT 2015
Limit use of deprecated krb5 mech OIDs
Filter out mechs with the GSS_C_MA_DEPRECATED attribute from the set
of mechanisms obtained by SPNEGO, and from the set used when
gss_acquire_cred() is called with no desired_mechs attribute.
SPNEGO acceptors will still accept the old and wrong krb5 OIDs, but
SPNEGO initiators will not offer them. According to [MS-SPNG], only
Windows 2000 does not recognize the standard krb5 OID, and it is
client-only.
In gss-client.c, use the standard krb5 OID for the -krb5 option, as
acceptors who call gss_acquire_cred() with no desired_mechs to create
an acceptor cred will no longer accept the old or wrong krb5 OIDs.
https://github.com/krb5/krb5/commit/7fd55f171e4f0bdcdfe70a912dfa6b6be92b1479
Author: Greg Hudson <ghudson at mit.edu>
Commit: 7fd55f171e4f0bdcdfe70a912dfa6b6be92b1479
Branch: master
src/appl/gss-sample/gss-client.c | 2 +-
src/lib/gssapi/mechglue/g_acquire_cred.c | 11 +++++++++--
src/lib/gssapi/spnego/spnego_mech.c | 14 +++++++++++---
3 files changed, 21 insertions(+), 6 deletions(-)
More information about the krb5-bugs
mailing list