gss_pname_to_uid: is that the right interface

Nico Williams nico at
Thu Sep 22 11:33:43 EDT 2011

On Thu, Sep 22, 2011 at 9:18 AM, Love Hörnquist Åstrand <lha at> wrote:
> 22 sep 2011 kl. 11:08 skrev Danilo Almeida:
>> Adding OS authorization notions such as username or uid as a new calls into
>> GSSAPI seems like a really bad idea

I agree that a well-known name extension should do.  However, this
aname2localname thing so long precedes naming extensions, and
localnames are so pervasive, that it's worth having this as a
first-class feature.

That said, I much prefer that the OS provide an integrated
authorization facility.  This means passing GSS objects to PAM, SSSD,
etcetera, so that PACs, PADs, and so on can be extracted and used if
present and relevant.

In other words, I agree with this:

> Not having it creates security bugs, there are plenty examples where people do gss_display_name() and then cut the string at the @ and call it a username.

So much so that maybe we should have multiple alternate display
syntaxes for each mech & name type, and pick one randomly in
gss_display_name()!  Yes, I'm kidding, mostly :)


More information about the krbdev mailing list