GSS/SPNEGO/mechglue/krb5 patches for 1.8

Nicolas Williams Nicolas.Williams at
Mon Feb 8 13:40:19 EST 2010

On Mon, Feb 08, 2010 at 01:25:39PM -0500, Greg Hudson wrote:
> On Fri, 2010-02-05 at 16:04 -0500, Nicolas Williams wrote:
> > I am, however, starting to think that SPNEGO should be integrated more
> > closely with the mechglue.  The idea being that if you pass in a
> > credential with elements for NTLM, Kerberos, PKU2U, mech_dh, _and_
> > SPNEGO, then those are the mechanisms from which SPNEGO will negotiate,
> > without having to separately call gss_set_neg_mechs().
> Now that I have a slightly better understanding of the landscape... this
> feels awkward.  When you acquire credentials for SPNEGO, at least in our
> implementation, the SPNEGO code will go out and get its own union
> credential structure for all of the supported mechanisms.  So in your
> usage scenario, the app would be holding a union cred structure
> containing Kerberos creds at the top-level union layer, and then again
> inside the SPNEGO credentials.

Let's go through this:

App->mechglue: gss_acquire_cred(..., GSS_C_NO_NAME, desired_mechs={krb5,
     mechglue->krb5: gss_acquire_cred(..., GSS_C_NO_NAME, ...)
     mechglue->ntlm: gss_acquire_cred(..., GSS_C_NO_NAME, ...)
     mechglue->spnego: gss_acquire_cred(..., GSS_C_NO_NAME, ...)
               spnego->mechglue: re-enter mechglue
		   gss_acquire_cred(..., GSS_C_NO_NAME,
				    desired_mechs={all-but-spnego}, ...)
                       mechglue: acquire a new cred, but this time for
		                 all mechs except spnego
                       mechglue->krb5: ...
                       mechglue->ntlm: ...
App->mechglue: gss_init/accept_sec_context(..., <cred from above>, ...)
               with SPNEGO as the mech

     mechglue->spnego: gss_set_neg_mechs(..., spnego cred, neg_mechs={krb5, ntlm})
     mechglue->spnego: gss_init/accept_sec_context(...)
               spnego->mechglue: re-enter to handle gss_init/accept_sec_context()
			         for the actual mech

To me this seems perfectly natural.


More information about the krbdev mailing list