GSS-API and libkrb5 behavior for Anonymous tickets

Nicolas Williams Nicolas.Williams at
Tue Nov 3 11:39:28 EST 2009

If you use the anonymous req_flag and a non-default credential handle,
and the credential handle is for anonymous desired_name, then there's no
"pathetic" fallback on non-anonymous authentication.

But if you use the anonymous req_flag and the default credential handle,
then technically the mechanism is free to not give you anonymity.

Given that there's a way to get anonymity-or-failure, I don't mind what
you call the "pathetic option".

> * If I pass the anonymous name into gss_acquire_credentials, what
>   happens?

You should get credentials.

> 1) If my default credentials are anonymous, then it works.  Otherwise,
> if I'm using KIM I may try to obtain anonymous credentials, but on
> Unix I fail.

Why do you fail?

> 2) If my default credentials are anonymous I use them.  Otherwise, I
> set up a new memory ccache and try to obtain anonymous credentials.
> If I fail, I return an error.


> 3) Option 2 as above, except that if I fail to obtain anonymous
> credentials, then  I use my default credentials.


> Then I have some questions about libkrb5.
> Several things need to happen to request anonymous credentials from an AS:
> * You need the anonymous principal name as the client
> * You need the anonymous KDC option set
> * You must use pkinit with DH
> First krb5 question: How much work should krb5_get_init_creds do to
> make things consistent.  For example, should setting the client
> principal name to anonymous set the anonymous option?  Should setting
> the anonymous option set the client principal name?  Should either of
> the above force pkinit?

Yes, yes, and yes only if a pre-auth method wasn't requested by the app.

> Second question: I want to introduce an API that takes a realm and a
> ccache and tries to obtain anonymous credentials for that realm.  Does
> this sound good?



More information about the krbdev mailing list