GSSAPI and anonymous names and credentials
Nicolas.Williams at sun.com
Thu Dec 17 13:44:50 EST 2009
On Thu, Dec 17, 2009 at 01:27:02PM -0500, Sam Hartman wrote:
> So, we had a discussion a while ago about desired behavior of gss and
> As I recall, the conclusion of that discussion included:
> If you set the anonymous flag on a context and provide
> GSS_C_NO_CREDENTIAL, then the library should try to obtain anonymous
> tickets for your use.
I don't think GSS_C_NO_CREDENTIAL is a requirement here.
> What realm should the library contact?
> One possible option is that if your service has a realm associated with
> it, then the library should contact that realm.
> What about the case where the service has a null realm?
If you want to securely find the acceptor's realm, then you must start
- the given realm
- a default realm
- any realm for which there is a non-anonymous credential available
More information about the krbdev