[krbdev.mit.edu #6938] krb5 and ldap signed traffic
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Tue May 19 16:59:25 EDT 2015
There doesn't appear to be a spec for this SASL mechanism, but Simo
found a reference informally explaining it:
https://groups.yahoo.com/neo/groups/cat-ietf/conversations/topics/575
As described in the second message, this non-standard SASL mechanism
omits the usual wrap exchange after the GSS context is established,
As a result, it does not support authzids, does not negotiate a
maximum message size, and implicitly negotiates a security layer
based on the GSS flags asserted by the client. There does not appear
to be any way for the server to disclaim support for a security
layer, so if the client asserts GSS flags the server doesn't want to
support, the server has no alternative but to reject the connection.
I think this is sufficient justification for supporting Heimdal's
interface to control the flags asserted by the krb5 mech.
https://github.com/krb5/krb5/pull/283 is the pull request for doing
this.
More information about the krb5-bugs
mailing list