GSS/SPNEGO/mechglue/krb5 patches for 1.8

Nicolas Williams Nicolas.Williams at
Thu Jan 21 11:21:10 EST 2010

On Thu, Jan 21, 2010 at 09:45:47AM -0500, Sam Hartman wrote:
> >>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at> writes:
>     Nicolas> Either use GSS_C_NO_CREDENTIAL, or, if you must control
>     Nicolas> what credentials to use, then use gss_acquire_cred() and/or
>     Nicolas> gss_add_cred() for each mechanism that you care about,
>     Nicolas> _including_ SPNEGO if you wish to use SPNEGO.  In addition,
>     Nicolas> if you want to control what mechanisms SPNEGO will
>     Nicolas> negotiate, and with what preference, then use
>     Nicolas> gss_set_neg_mechs() on the credential handle.
> This is a nice theory and I agree it's how it's supposed to work.
> However, do we actually support gss_set_neg_mechs?  If this ticket is

Support or non-support for gss_set_neg_mechs() is actually not that
important.  If you only have two mechanisms then the initiator that
wants to negotiate only one of them should just pick that one and forget
SPNEGO.  And the acceptor that must allow SPNEGO but only wants to
accept a subset of mechanisms should check that the actual_mech is an
acceptable one and fail authentication (e.g., close the connection --
whatever's appropriate for the given app protocol) if the actual_mech is
not acceptable.

> easier to accept than writing a new API at this point in the
> process,then perhaps we should do so.  The bug that you need to be able
> to control what SPNEGO offers seems quite real, and I think we should
> provide some fix to that bug in the 1.8 timeframe if it's causing
> problems for people willing to write code.

I'd much, much rather see gss_set_neg_mechs() implemented.


More information about the krbdev mailing list