Hi All,

Greg Hudson ghudson at mit.edu
Tue May 26 18:01:29 EDT 2020


On 5/26/20 2:54 AM, Ming Zhi wrote:
> But with GSSAPI, I cannot find an official way to set the hook between the
> `context' creation and the start of kdc traffic, as is done in a single
> function `gss_init_sec_context'. The worst situation is that I need to get
> hands dirty to change the source code.

Unfortunately I don't think we have a good solution here.  We have a
"locate" pluggable interface [1] which might work (basically, have it
always return a local service, which then parses out the realm name from
the request).

I am personally fond of the idea of having a krb5 interface to control
the per-thread krb5_context object used by the GSS mech, for situations
like these.  But other people have disliked the idea, so I haven't
implemented it.

[1] https://web.mit.edu/kerberos/krb5-latest/doc/plugindev/locate.html


More information about the Kerberos mailing list