GSS/SPNEGO/mechglue/krb5 patches for 1.8
Jeffrey Hutzelman
jhutz at cmu.edu
Wed Jan 27 02:39:29 EST 2010
--On Tuesday, January 26, 2010 10:37:51 PM -0500 Danilo Almeida
<dalmeida at likewise.com> wrote:
> <quote from="Nicolas Williams">
> Support or non-support for gss_set_neg_mechs() is actually not that
> important. If you only have two mechanisms then the initiator that
> wants to negotiate only one of them should just pick that one and forget
> SPNEGO. And the acceptor that must allow SPNEGO but only wants to
> accept a subset of mechanisms should check that the actual_mech is an
> acceptable one and fail authentication (e.g., close the connection --
> whatever's appropriate for the given app protocol) if the actual_mech is
> not acceptable.
> </quote>
>
> I am not convinced. That presupposes that you never want the server to
> enforce policy for which mechs are acceptable.
No, it doesn't.
> the acceptor that must allow SPNEGO but only wants to
> accept a subset of mechanisms should check that the actual_mech is an
> acceptable one and fail authentication (e.g., close the connection --
> whatever's appropriate for the given app protocol) if the actual_mech is
> not acceptable.
In other words, you follow the GSS-API model, which is to establish a
context, see if what you got is acceptable, and abort if not.
More information about the krbdev
mailing list