SPNEGO and Kerberos credentials

Rahul Srinivas srahul at novell.com
Sat Jul 5 00:53:42 EDT 2008 

There is one difference between my patches and the other two patches. In the other patches, if you do gss_acquire_cred() for gss_mech_spnego, any Kerberos credentials acquired will be available to krb5_gss_accept_sec_context() (either through spnego_gss_accept_sec_context() or directly). But if you do gss_acquire_cred() for gss_mech_krb5, the credential acquired will not be available to spnego_gss_accept_sec_context() - this happens to be the problem in my code. In my patch, the second case is handled but not the first. It looks like both of them are required. But since SPNEGO is a pseudo mechanism, I prefer the second approach - add various credential elements into a credential and give it to the SPNEGO mechanism instead of letting the SPNEGO mechanism acquire the credentials.

-Rahul

>>> On Fri, Jul 4, 2008 at  6:49 AM, in message
<486D7AAB.2010704 at kadzban.is-a-geek.net>, Bryan Kadzban
<bryan at kadzban.is-a-geek.net> wrote: 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
> 
> S Rahul wrote:
>> But if I select SPNEGO as the mechanism, the credential does not pass
>> down to krb5_gss_accept_sec_context(). It gets filtered in the GSSAPI
>> layer itself and a new credential is generated when 
>> spnego_gss_accept_sec_context() calls gss_accept_sec_context().
> 
> This sounds similar to the issue I had a few weeks back with SPNEGO and
> storing delegated credentials.  See krbdev RT, ticket 5807 [1] for one
> patch, and see Debian bug 480434 [2] for another.
> 
> Looks like your patch modifies the same function as both of these
> patches, though it modifies it differently.  Do either of these patches
> solve the problem you're seeing, or is ypur issue actually different?
> (Both patches are basically equivalent: both return the krb5 credential
> instead of failing, when the input is an SPNEGO credential.  The only
> difference is how they get to the SPNEGO OID, to compare it.)
> 
> [1]
> http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=5807
> 
> [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480434
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFIbXqrS5vET1Wea5wRA0OkAKDFLVQK/kFrNgzvxqmbPhu7vgsXagCgx/UQ
> DRGSzZ5At+gtaEnA6G+nvOE=
> =NJ7a
> -----END PGP SIGNATURE-----

More information about the krbdev mailing list