Credential cache searching, ccapi and file caches
Sam Hartman
hartmans at MIT.EDU
Thu Jul 15 15:46:12 EDT 2004
>>>>> "Matt" == Matt Crawford <crawdad at fnal.gov> writes:
Matt> Another side-comment / wish
Matt> On Jul 14, 2004, at 16:29, Sam Hartman wrote:
>> In the default case we're shooting for we won't know what named
>> credential to use until we know what the target name is.
Matt> On the other end of the wire, I sure wish GSS-based
Matt> applications would not lock themselves down to a particular
Matt> service name before they examine the name the client calls
Matt> them by! We have people who insist on multihoming their
Matt> hosts with a different name for each interface ...
Have you looked at the completely undocumented support for
GSS_C_NO_NAME on the acceptor side introduced into MIt Kerberos 1.3?
If you pass in no name or no credential, gss-accept_sec_context will
work with any key in the keytab. It is recommended that you check the
name that the client used and make sure it is acceptable.
More information about the krbdev
mailing list