GSS/SPNEGO/mechglue/krb5 patches for 1.8
Nicolas Williams
Nicolas.Williams at sun.com
Mon Feb 8 13:40:19 EST 2010
On Mon, Feb 08, 2010 at 01:25:39PM -0500, Greg Hudson wrote:
> On Fri, 2010-02-05 at 16:04 -0500, Nicolas Williams wrote:
> > I am, however, starting to think that SPNEGO should be integrated more
> > closely with the mechglue. The idea being that if you pass in a
> > credential with elements for NTLM, Kerberos, PKU2U, mech_dh, _and_
> > SPNEGO, then those are the mechanisms from which SPNEGO will negotiate,
> > without having to separately call gss_set_neg_mechs().
>
> Now that I have a slightly better understanding of the landscape... this
> feels awkward. When you acquire credentials for SPNEGO, at least in our
> implementation, the SPNEGO code will go out and get its own union
> credential structure for all of the supported mechanisms. So in your
> usage scenario, the app would be holding a union cred structure
> containing Kerberos creds at the top-level union layer, and then again
> inside the SPNEGO credentials.
Let's go through this:
App->mechglue: gss_acquire_cred(..., GSS_C_NO_NAME, desired_mechs={krb5,
ntlm,
spnego},
...)
mechglue->krb5: gss_acquire_cred(..., GSS_C_NO_NAME, ...)
mechglue->ntlm: gss_acquire_cred(..., GSS_C_NO_NAME, ...)
mechglue->spnego: gss_acquire_cred(..., GSS_C_NO_NAME, ...)
spnego->mechglue: re-enter mechglue
gss_acquire_cred(..., GSS_C_NO_NAME,
desired_mechs={all-but-spnego}, ...)
mechglue: acquire a new cred, but this time for
all mechs except spnego
mechglue->krb5: ...
mechglue->ntlm: ...
...
App->mechglue: gss_init/accept_sec_context(..., <cred from above>, ...)
with SPNEGO as the mech
mechglue->spnego: gss_set_neg_mechs(..., spnego cred, neg_mechs={krb5, ntlm})
mechglue->spnego: gss_init/accept_sec_context(...)
spnego->mechglue: re-enter to handle gss_init/accept_sec_context()
for the actual mech
To me this seems perfectly natural.
Nico
--
More information about the krbdev
mailing list