user2user GSSAPI [was Re: threading best practices?]
Thomas Maslen
Thomas.Maslen at quest.com
Tue Jul 26 00:17:11 EDT 2011
On Sat, 2011-07-23 at 11:02 +0000, Luke Howard <lukeh at padl.com> wrote:
> On 23/07/2011, at 12:22 AM, Nico Williams wrote:
>> On Fri, Jul 22, 2011 at 7:04 PM, Greg Hudson <ghudson at mit.edu> wrote:
[...]
>>> Chris started out by asking about user-to-user auth, so I didn't
>>> redirect him to GSSAPI since, as far as I know, GSSAPI doesn't have a
>>> story there (for the krb5 mech, at least).
>>
>> Indeed, the krb5 mech has no story here. I'm thinking we should have
>> the initiator send a bogus AP-REQ with a new auth-options flag. If
>> the server understands it it would respond with a KRB-ERROR with the
>> TGT in the e-data, else with a plain KRB-ERROR.
>
> Hasn't draft-swift-win2k-krb-user2user-03 been shipping since Windows 2000?
Yea, verily, and I believe that in later releases (maybe not 2000, but 2003
onwards) the KDC even sends KDC_ERR_MUST_USE_USER2USER if you try to request
a service ticket to anything that looks like a pure user principal.
I can't speak for other GSS Kerberos implementations, but I know that we
include the GSS initiator and acceptor for user2user (1.2.840.113554.1.2.2.3)
in our own Java GSS implementation.
But no, probably none of this helps Chris (unless there's a user2user GSS
implementation lurking in MIT Kerberos or in Heimdal, or he wants to use
Active Directory and Windows SSPI)... so yes, for user2user he probably
does have to write Kerberos code rather than GSSAPI code.
More information about the Kerberos
mailing list