GSSAPI and anonymous names and credentials
Nicolas Williams
Nicolas.Williams at sun.com
Thu Dec 17 13:44:50 EST 2009
On Thu, Dec 17, 2009 at 01:27:02PM -0500, Sam Hartman wrote:
> So, we had a discussion a while ago about desired behavior of gss and
> anonymous.
>
> As I recall, the conclusion of that discussion included:
>
> If you set the anonymous flag on a context and provide
> GSS_C_NO_CREDENTIAL, then the library should try to obtain anonymous
> tickets for your use.
I don't think GSS_C_NO_CREDENTIAL is a requirement here.
> What realm should the library contact?
>
> One possible option is that if your service has a realm associated with
> it, then the library should contact that realm.
>
> What about the case where the service has a null realm?
If you want to securely find the acceptor's realm, then you must start
with either:
- the given realm
- a default realm
- any realm for which there is a non-anonymous credential available
(but which)
Nico
--
More information about the krbdev
mailing list