Final call for changes in 1.4
Douglas E. Engert
deengert at anl.gov
Tue Oct 19 09:51:14 EDT 2004
Sam Hartman wrote:
>>>>>>"Douglas" == Douglas E Engert <deengert at anl.gov> writes:
> Douglas> How quickly is the cutoff? Do I have till tomorrow at
> Douglas> least?
> Douglas> One change that has come up on the lists from
> Douglas> time to time is having the gssapi accept_sec_context
> Douglas> accept a service ticket where it can find an entry in the
> Douglas> keytab file for matching service name and instance but
> Douglas> any realm. (rlogin can do this.) Currently it only
> Douglas> works for the default realm of the host.
> Our recommended way of accomplishing this is to pass in
> GSS_C_NO_CREDENTIAL and then check the resulting authentication name.
But what you are saying is to change the application which is following the
GSSAPI specs by acquiring creds with <service>@<host>
If you pass GSS_NO_CREDENTIAL to accept then any principal in the keytab
I don't want to have to change the applications. With this mod, there
is no change to the applicaiton, and only principals
with <service>/<hostname> and any realm in the keytab are acceptable.
> I don't think we are interested in special casing the realm case
> although we would be interested in discussing a mechanism that allowed
> you to have multiple acceptor credentials you were checking against
> for the 1.5 release.
> This might also need discussion in kitten.
Yes its a problem with GSSAPI being to generic at times.
Will have to read Nico's draft.
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev