GSS-API and libkrb5 behavior for Anonymous tickets
Nicolas Williams
Nicolas.Williams at sun.com
Tue Nov 3 11:39:28 EST 2009
If you use the anonymous req_flag and a non-default credential handle,
and the credential handle is for anonymous desired_name, then there's no
"pathetic" fallback on non-anonymous authentication.
But if you use the anonymous req_flag and the default credential handle,
then technically the mechanism is free to not give you anonymity.
Given that there's a way to get anonymity-or-failure, I don't mind what
you call the "pathetic option".
> * If I pass the anonymous name into gss_acquire_credentials, what
> happens?
You should get credentials.
> 1) If my default credentials are anonymous, then it works. Otherwise,
> if I'm using KIM I may try to obtain anonymous credentials, but on
> Unix I fail.
Why do you fail?
> 2) If my default credentials are anonymous I use them. Otherwise, I
> set up a new memory ccache and try to obtain anonymous credentials.
> If I fail, I return an error.
Yes.
> 3) Option 2 as above, except that if I fail to obtain anonymous
> credentials, then I use my default credentials.
No!
> Then I have some questions about libkrb5.
>
> Several things need to happen to request anonymous credentials from an AS:
>
> * You need the anonymous principal name as the client
> * You need the anonymous KDC option set
> * You must use pkinit with DH
>
> First krb5 question: How much work should krb5_get_init_creds do to
> make things consistent. For example, should setting the client
> principal name to anonymous set the anonymous option? Should setting
> the anonymous option set the client principal name? Should either of
> the above force pkinit?
Yes, yes, and yes only if a pre-auth method wasn't requested by the app.
> Second question: I want to introduce an API that takes a realm and a
> ccache and tries to obtain anonymous credentials for that realm. Does
> this sound good?
Yes.
Nico
--
More information about the krbdev
mailing list