Creating a new pre-authentication plugin
Alejandro Perez Mendez
alex at um.es
Thu Aug 2 04:03:08 EDT 2012
On 02/08/12 03:25, Luke Howard wrote:
>> I believe statelessness here requires that each hop be able to be
>> performed against different KDCs. This is important to me and to
>> others. I recommend you pursue the exported partially established
>> security context token approach to retain statelessness, which I think
>> is eminently feasible (and would benefit us all in other ways).
> Right, and if the immediate target is GSS EAP, then the Moonshot implementation already supports partial context export on the acceptor side. It might be nice if there was a way of negotiating whether this was supported within the protocol, so that for other GSS mechanisms the client could be bound to a single KDC (but I suppose this is difficult to do with stacked mechanisms).
As a matter of fact, it is :). I'm interested then is known how you
access to this functionality. Can I use it by directly calling
mechglue's gss_export_sec_context()?
We could make the KDC to try to obtain a partially exported context. If
successful, that would be the COOKIE. If failed, then it can send the
*encrypted* {gss_ctx_id_t value, PID of the process}. That way, it would
be easy to reject any pre-authentication directed to the wrong KDC. It
wouldn't assure a success, but avoids most of the memory problems. Even
the supervisor worker could look at the PID value and direct it to the
right queue.
Regards,
Alejandro
> Luke
>
More information about the krbdev
mailing list