GSS/SPNEGO/mechglue/krb5 patches for 1.8
Nicolas Williams
Nicolas.Williams at sun.com
Fri Feb 5 19:12:09 EST 2010
I talked to Greg Hudson about this on #krbdev.
Here's how I think this should all work.
Initiator and acceptor apps that care about what mechanisms are
negotiatied should not use GSS_C_NO_CREDENTIAL. However, because
GSS_C_NO_CREDENTIAL is very useful on multi-homed/named acceptors, an
alternative is needed, and that alternative is to acquire a credential
for GSS_C_NO_NAME.
Therefore, apps that care about what mechanisms are negotiatied should
do this:
gss_cred_id_t mycred;
gss_OID_set desired_mechs;
gss_cred_usage_t desired_usage = ...;
/*
* Setup desired_mechs to include desired mech OIDs, including
* SPNEGO if SPNEGO is desired.
*/
...
major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE,
desired_mechs, desired_usage, &mycred, NULL, NULL);
if (GSS_ERROR(major) != GSS_S_COMPLETE) {
/* handle error */
...
}
/* Set negotiable mechs */
major = gss_set_neg_mechs(&min, mycred,
/* desired_mechs excluding SPNEGO */ ...);
if (GSS_ERROR(major) != GSS_S_COMPLETE) {
/* handle error */
...
}
/* Proceed with gss_init/accept_sec_context() using mycred */
...
I'm proposing that the glue can be smart enough to automatically do the
gss_set_neg_mechs() call on behalf of the application, saving developers
a few lines fo code.
Nico
--
More information about the krbdev
mailing list