GSS/SPNEGO/mechglue/krb5 patches for 1.8

Nicolas Williams Nicolas.Williams at
Fri Feb 5 16:04:46 EST 2010

On Sat, Jan 30, 2010 at 12:07:51PM -0500, Sam Hartman wrote:
> >>>>> "Jeffrey" == Jeffrey Hutzelman <jhutz at> writes:
>     Jeffrey> In other words, you follow the GSS-API model, which is to
>     Jeffrey> establish a context, see if what you got is acceptable, and
>     Jeffrey> abort if not.
> This produces bad results for SPNEGO.  With SPNEGO, the server has the
> option of saying that it doesn't like some mechanism and selecting
> another.  You're saying that rather than availing itself of that option
> an application should fail.  I disagree.

Can we have a description of the patches being proposed please?

Can we have an explanation of why gss_get/set_neg_mechs() are not

I am, however, starting to think that SPNEGO should be integrated more
closely with the mechglue.  The idea being that if you pass in a
credential with elements for NTLM, Kerberos, PKU2U, mech_dh, _and_
SPNEGO, then those are the mechanisms from which SPNEGO will negotiate,
without having to separately call gss_set_neg_mechs().

The way this alternative would work is thus: the mechglue would notice
that a given provider (in this case, mech_spnego) has a set_neg_mechs()s
entry point, and would call it with the list of mechanisms for which the
glue credential has elements.


More information about the krbdev mailing list