Credential cache searching, ccapi and file caches

Sam Hartman hartmans at MIT.EDU
Thu Jul 15 15:46:12 EDT 2004

>>>>> "Matt" == Matt Crawford <crawdad at> writes:

    Matt> Another side-comment / wish
    Matt> On Jul 14, 2004, at 16:29, Sam Hartman wrote:

    >> In the default case we're shooting for we won't know what named
    >> credential to use until we know what the target name is.

    Matt> On the other end of the wire, I sure wish GSS-based
    Matt> applications would not lock themselves down to a particular
    Matt> service name before they examine the name the client calls
    Matt> them by! We have people who insist on multihoming their
    Matt> hosts with a different name for each interface ...

Have you looked at the completely undocumented support for
GSS_C_NO_NAME on the acceptor side introduced into MIt Kerberos 1.3?
If you pass in no name or no credential, gss-accept_sec_context will
work with any key in the keytab.  It is recommended that you check the
name that the client used and make sure it is acceptable.

More information about the krbdev mailing list