GSS/SPNEGO/mechglue/krb5 patches for 1.8

Nicolas Williams Nicolas.Williams at
Fri Feb 5 19:12:09 EST 2010

I talked to Greg Hudson about this on #krbdev.

Here's how I think this should all work.

Initiator and acceptor apps that care about what mechanisms are
negotiatied should not use GSS_C_NO_CREDENTIAL.  However, because
GSS_C_NO_CREDENTIAL is very useful on multi-homed/named acceptors, an
alternative is needed, and that alternative is to acquire a credential

Therefore, apps that care about what mechanisms are negotiatied should
do this:

	gss_cred_id_t mycred;
	gss_OID_set desired_mechs;
	gss_cred_usage_t desired_usage = ...;

	 * Setup desired_mechs to include desired mech OIDs, including
	 * SPNEGO if SPNEGO is desired.
	major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
	    desired_mechs, desired_usage, &mycred, NULL, NULL);
	if (GSS_ERROR(major) != GSS_S_COMPLETE) {
		/* handle error */

	/* Set negotiable mechs */
	major = gss_set_neg_mechs(&min, mycred,
	    /* desired_mechs excluding SPNEGO */ ...);
	if (GSS_ERROR(major) != GSS_S_COMPLETE) {
		/* handle error */

	/* Proceed with gss_init/accept_sec_context() using mycred */

I'm proposing that the glue can be smart enough to automatically do the
gss_set_neg_mechs() call on behalf of the application, saving developers
a few lines fo code.


More information about the krbdev mailing list