GSSAPI and anonymous names and credentials

Nicolas Williams Nicolas.Williams at
Thu Dec 17 13:44:50 EST 2009

On Thu, Dec 17, 2009 at 01:27:02PM -0500, Sam Hartman wrote:
> So, we had a discussion a while ago about desired behavior of gss and
> anonymous.
> As I recall, the conclusion of that discussion included:
> If you set the anonymous flag on a context and provide
> GSS_C_NO_CREDENTIAL, then the library should try to obtain anonymous
> tickets for your use.

I don't think GSS_C_NO_CREDENTIAL is a requirement here.

> What realm should the library contact?
> One possible option is that if your service has a realm associated with
> it, then the library should contact that realm.
> What about the case where the service has a null realm?

If you want to securely find the acceptor's realm, then you must start
with either:

 - the given realm
 - a default realm
 - any realm for which there is a non-anonymous credential available
   (but which)


More information about the krbdev mailing list