GSS/SPNEGO/mechglue/krb5 patches for 1.8
Nicolas Williams
Nicolas.Williams at sun.com
Fri Feb 5 16:04:46 EST 2010
On Sat, Jan 30, 2010 at 12:07:51PM -0500, Sam Hartman wrote:
> >>>>> "Jeffrey" == Jeffrey Hutzelman <jhutz at cmu.edu> writes:
> Jeffrey> In other words, you follow the GSS-API model, which is to
> Jeffrey> establish a context, see if what you got is acceptable, and
> Jeffrey> abort if not.
>
> This produces bad results for SPNEGO. With SPNEGO, the server has the
> option of saying that it doesn't like some mechanism and selecting
> another. You're saying that rather than availing itself of that option
> an application should fail. I disagree.
Can we have a description of the patches being proposed please?
Can we have an explanation of why gss_get/set_neg_mechs() are not
practical?
I am, however, starting to think that SPNEGO should be integrated more
closely with the mechglue. The idea being that if you pass in a
credential with elements for NTLM, Kerberos, PKU2U, mech_dh, _and_
SPNEGO, then those are the mechanisms from which SPNEGO will negotiate,
without having to separately call gss_set_neg_mechs().
The way this alternative would work is thus: the mechglue would notice
that a given provider (in this case, mech_spnego) has a set_neg_mechs()s
entry point, and would call it with the list of mechanisms for which the
glue credential has elements.
Nico
--
More information about the krbdev
mailing list