[krbdev.mit.edu #7171] Multiple GSSAPI krb5 mechanism variants cause repeated operations
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Fri Sep 14 19:30:20 EDT 2012
For reference:
* Heimdal appears to match our new behavior for gss_acquire_cred with no
specified mechs (that is, it gets creds for all mechanisms).
* Heimdal supports the "wrong" krb5 mech OID (the one used by Microsoft)
inside its SPNEGO implementation. It doesn't return that OID in
gss_indicate_mechs and it doesn't let applications use that OID.
* Heimdal doesn't appear to have any support for the "old" krb5 mech OID.
Adopting the above behavior would reduce the number of krb5 cred
acquisition operations for a default gss_acquire_cred from 8 to 4, and
the number of ssh userauth negotiation attempts from 4 to 2.
More information about the krb5-bugs
mailing list