Creating a new pre-authentication plugin

Alejandro Perez Mendez alex at
Thu Aug 2 04:11:12 EDT 2012

On 02/08/12 08:56, Luke Howard wrote:
>> I we had the table of valid handlers, we could add a expiration time.
>>  From time to time, mechglue can lookup for expired contexts and delete
>> them. Though I think this may be highly inefficient.
> I think it would be less intrusive to make this the responsibility of the preauthentication plugin rather than changing the mechglue.

Sure, but note that even if the mechglue does not do that, doesn't mean 
it shouldn't do it :). Looking at the specs, GSS-API has the ability to 
return some kind of INVALID_CONTEXT error code.

Anyway, as this is not the IETF list, but the Krb-dev mailing list, and 
we are talking about actual implementations, you are completely right. I 
think performing strong changes to mechglue library is something way out 
of my intentions :).

>> The problem with this approach is that exporting partially established
>> contexts is something not allowed by current GSS-API specification.
> The GSS-API specification can be evolved; plenty of things that modern mechanisms use, such as the PRF and naming extensions, were not allowed by the original GSS-API specification.

You are right.


> -- Luke

More information about the krbdev mailing list