[krbdev.mit.edu #6938] git commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Jun 18 13:06:03 EDT 2015
Implement GSS_KRB5_CRED_NO_CI_FLAGS_X cred option
Microsoft implements GSS-SPNEGO, a non-standard SASL mechanism which
omits the usual wrap exchange after the GSS context is established.
As a result, it does not support authzids, does not negotiate a
maximum message size, and implicitly negotiates a security layer based
on the GSS flags asserted by the client. If the client asserts GSS
flags corresponding to a security layer the server can't support, the
server has no recourse except to reject the connection.
Implement Heimdal's GSS_KRB5_CRED_NO_CI_FLAGS_X cred option. When set
on an initiator cred, do not assert the confidentiality and integrity
flags in initiator tokens unless they were requested by the caller.
Our SPNEGO mechanism always requests integrity from the underlying
mechanism, which limits the utility of this option. That issue will
be addressed in the future; even if it isn't, Samba currently uses its
own SPNEGO implementation, so can benefit from the cred option in
krb5.
[ghudson at mit.edu: expand GSS_KRB5_CRED_NO_CI_FLAGS_X comment, edit
commit message, use a boolean cred field]
https://github.com/krb5/krb5/commit/7e6965ae33338216650384ca559d49e90312087a
Author: Andreas Schneider <asn at samba.org>
Committer: Greg Hudson <ghudson at mit.edu>
Commit: 7e6965ae33338216650384ca559d49e90312087a
Branch: master
src/lib/gssapi/krb5/acquire_cred.c | 1 +
src/lib/gssapi/krb5/gssapiP_krb5.h | 1 +
src/lib/gssapi/krb5/gssapi_krb5.c | 24 ++++++++++++++++++++++++
src/lib/gssapi/krb5/gssapi_krb5.h | 10 ++++++++++
src/lib/gssapi/krb5/init_sec_context.c | 14 ++++++++------
src/lib/gssapi/libgssapi_krb5.exports | 1 +
src/lib/gssapi32.def | 2 ++
7 files changed, 47 insertions(+), 6 deletions(-)
More information about the krb5-bugs
mailing list