Sanity check: GSSAPI SPI simplifications

Jeffrey Hutzelman jhutz at
Mon May 24 18:49:44 EDT 2010

--On Friday, April 30, 2010 03:52:44 PM -0500 Nicolas Williams 
<Nicolas.Williams at> wrote:

>> 1. The mechglue implements gss_acquire_cred in terms of gss_add_cred,
>> and gss_add_cred in terms of mech->gss_acquire_cred.  It never invokes
>> mech->gss_add_cred.
>> As a consequence, there is about 300 lines of orphaned code in the
>> krb5 mech.  I propose to get rid of it, and to eliminate gss_add_cred
>> from struct gss_config.  (Similarly for gss_add_cred_impersonate_name,
>> which is already nulled out in the krb5 mech.)
> I've noticed this before.  Please do eliminate this dead code.

So, this would make the krb5 mech no longer be a GSS-API implementation.
I suppose that's OK, if you assume that your mech is only ever going to be 
used with your mechglue.  The problem is that as soon as more than one 
implementor makes that assumption, you stop being able to use arbitrary 
sets of mechanisms -- you can only use sets of mechanisms for which there 
is a mechglue with which they are all compatible.

What if I want to use your mechanism, but my OS/application/whatever 
already has its own mechglue?  What if I am building an application that I 
know needs only krb5 and has to run in limited space?

-- Jeff

More information about the krbdev mailing list