GSS/SPNEGO/mechglue/krb5 patches for 1.8

Greg Hudson ghudson at MIT.EDU
Mon Feb 8 13:25:39 EST 2010

On Fri, 2010-02-05 at 16:04 -0500, Nicolas Williams wrote:
> I am, however, starting to think that SPNEGO should be integrated more
> closely with the mechglue.  The idea being that if you pass in a
> credential with elements for NTLM, Kerberos, PKU2U, mech_dh, _and_
> SPNEGO, then those are the mechanisms from which SPNEGO will negotiate,
> without having to separately call gss_set_neg_mechs().

Now that I have a slightly better understanding of the landscape... this
feels awkward.  When you acquire credentials for SPNEGO, at least in our
implementation, the SPNEGO code will go out and get its own union
credential structure for all of the supported mechanisms.  So in your
usage scenario, the app would be holding a union cred structure
containing Kerberos creds at the top-level union layer, and then again
inside the SPNEGO credentials.

(Regardless, this is a longer-term question.  The immediate question is
what we do for 1.8.  For that, I am still working on implementing
gss_set_neg_mechs, although it's slow going since I'm still fairly new
to the GSSAPI code.)

More information about the krbdev mailing list