krb5-libs/1022: accept_sec_context() specifies principal to rd_req()

Douglas E. Engert deengert at anl.gov
Mon Apr 8 17:02:01 EDT 2002 

Sam Hartman wrote:
> 
> >>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at ubsw.com> writes:
> 
>     Nicolas> Why not use the default credential, GSS_C_NO_CREDENTIAL
>     Nicolas> and then inquire the context for the acceptor name?
> 
> I don't think our implementation supports this.  I argue that this is
> the correct solution and am leaving the bug open in the hope that
> someone (either at MIT or in the larger community) will get around to
> writing such support.

Well here is something close which we are using. This allows krb5_rd_req
to select the service ticket to use from any in the keytab. As you point 
out, it should check that no desired_name was passed to gss_accquire_creds. 



*** ,accept_sec_context.c       Wed Jan  9 16:27:43 2002
--- accept_sec_context.c        Fri Jan 11 14:52:28 2002
***************
*** 345,355 ****
         goto fail;
     }
  
!    if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->princ,
                           cred->keytab, NULL, &ticket))) {
         major_status = GSS_S_FAILURE;
         goto fail;
     }
  
     krb5_auth_con_getauthenticator(context, auth_context, &authdat);

--- 617,714 ----
         goto fail;
     }

!    if ((code = krb5_rd_req(context, &auth_context, &ap_req, NULL,
                           cred->keytab, NULL, &ticket))) {
         major_status = GSS_S_FAILURE;
         goto fail;
     }
+ /*
+  * Allow for lax checking of the princ name. This will allow
+  * us to have ssh and ftp use any of the tickets in the 
+  * keytab, as we change from dce.anl.gov to KRB5.ANL.GOV
+  * rlogin already allows this. We will check all but realm.
+  */
+    if ( cred->princ && ticket->server) {
+               int i;
+               int nelem; 
+               nelem = krb5_princ_size(context, cred->princ);
+               if (nelem == krb5_princ_size(context,ticket->server)) {
+                       for (i = 0; i < nelem; i++) {
+                               register const krb5_data *p1 = 
+                                       krb5_princ_component(context, cred->princ ,i);
+                               register const krb5_data *p2 = 
+                                       krb5_princ_component(context, ticket->server, i);
+                               if (p1->length != p2->length ||
+                                               memcmp(p1->data, p2->data, p1->length)) {
+                                       major_status = GSS_S_FAILURE;
+                                       goto fail;
+                               }
+                       }
+               } else {
+                       major_status = GSS_S_FAILURE;
+                       goto fail;
+               }
+    }
  
     krb5_auth_con_getauthenticator(context, auth_context, &authdat);
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/krbdev

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list