Delegated creds and SPNEGO

Nicolas Williams Nicolas.Williams at sun.com
Thu Aug 27 01:07:10 EDT 2009 

On Wed, Aug 26, 2009 at 09:09:32PM -0700, Love Hörnquist Åstrand wrote:
> 26 aug 2009 kl. 11:10 skrev Nicolas Williams:
> >Bad example.  That's supposed to work like this:
> >
> >- optional: import a desired name
> >- required: call gss_acquire/add_cred() with SPNEGO as a desired_mech,
> >  and, if you have one, a desired name (see above)
> 
> How does this get you only NTLM credentials and not Kerberos  
> credentials ? Getting Kerberos credential might have side-effects you  
> don't want to trigger.

SPNEGO should defer re-entering gss_acquire/add_cred() until the next
step in the list below happens:

> >- optional: call gss_set_neg_mechs() on the acquired credential to set
> >  the mechs that SPNEGO may negotiate
> >- required: call gss_init/accept_sec_context() with the resulting
> >  credential handle
> > 
> > [...]

> And then you delegate, get your delegated credentials on the acceptor,  
> how to turn that back into SPNEGO/.... credentials so that you can use  
> SPNEGO/compression/whatever-psuedo-mech again ?

You must first store them somewhere with gss_store_cred(), so that you
can re-acquire; gss_store_cred(), like gss_acquire/add_cred() and
GSS_C_NO_CREDENTIAL, refers to the "current credential store".  Setting
up credential stores and changing the current credential store are
outsire the scope of the GSS-API and really are OS-dependent matters
(e.g., putenv("KRB5CCNAME=...")? setuid()?  setup keyrings?  PAGs?  all
OS-specific).

> >>                            since that cuts out all other pseudo
> >>combined mechs (like compression).
> >
> >Not sure I follow.
> 
> if you special case SPNEGO, you also need to special case all other  
> combined mechs.

Our special case does not actually check for the SPNEGO OID.  It's a
very simple special case (if (have_deleg_cred && actual_mech !=
initial_context_token_mech) then expect the mech to have returned a
mechglue cred, not a mech cred).  It could use a tiny tweak for the case
of composite mechs (instead of actual_mech != initial_context_token_mech
it needs to check that initial_context_token_mech is equal to or a
prefix of actual_mech).

Nico
--

More information about the krbdev mailing list