GSS/SPNEGO/mechglue/krb5 patches for 1.8

Danilo Almeida dalmeida at
Tue Jan 26 22:37:51 EST 2010

<quote from="Nicolas Williams">
Support or non-support for gss_set_neg_mechs() is actually not that
important.  If you only have two mechanisms then the initiator that
wants to negotiate only one of them should just pick that one and forget
SPNEGO.  And the acceptor that must allow SPNEGO but only wants to
accept a subset of mechanisms should check that the actual_mech is an
acceptable one and fail authentication (e.g., close the connection --
whatever's appropriate for the given app protocol) if the actual_mech is
not acceptable.

I am not convinced.  That presupposes that you never want the server to
enforce policy for which mechs are acceptable.

<quote from="Nicolas Williams">
I'd much, much rather see gss_set_neg_mechs() implemented.

That would work.

- Danilo

More information about the krbdev mailing list