Proposal to export gssapi context

Sam Hartman hartmans at MIT.EDU
Wed Mar 24 15:23:51 EST 2004

>>>>> "Kevin" == Kevin Coffman <kwc at> writes:

    >> >>>>> "Ken" == Ken Raeburn <raeburn at MIT.EDU> writes:
    Ken> 2) I assume it applies whether the credentials in question are used as
    Ken> initiator or acceptor, and thus could make init_sec_context or
    Ken> accept_sec_context fail?
    >> IT's really only needed on the initiator side.  We could allow it to
    >> be used on the acceptor side but this would be additional complexity.

    Kevin> It might be convenient (for us) to use on the accept side to limit
    Kevin> to what the kernel supports -- despite what the keytab supports.
    Kevin> But this isn't strictly necessary.

Especially if you plan to implement this, that would be fine.  But in
that case you need to decide what to do if you get a ticket with a
session key that is inappropriate.

More information about the krbdev mailing list