Creating a new pre-authentication plugin
Alejandro Perez Mendez
alex at um.es
Thu Aug 2 04:11:12 EDT 2012
On 02/08/12 08:56, Luke Howard wrote:
>> I we had the table of valid handlers, we could add a expiration time.
>> From time to time, mechglue can lookup for expired contexts and delete
>> them. Though I think this may be highly inefficient.
> I think it would be less intrusive to make this the responsibility of the preauthentication plugin rather than changing the mechglue.
Sure, but note that even if the mechglue does not do that, doesn't mean
it shouldn't do it :). Looking at the specs, GSS-API has the ability to
return some kind of INVALID_CONTEXT error code.
Anyway, as this is not the IETF list, but the Krb-dev mailing list, and
we are talking about actual implementations, you are completely right. I
think performing strong changes to mechglue library is something way out
of my intentions :).
>> The problem with this approach is that exporting partially established
>> contexts is something not allowed by current GSS-API specification.
> The GSS-API specification can be evolved; plenty of things that modern mechanisms use, such as the PRF and naming extensions, were not allowed by the original GSS-API specification.
You are right.
> -- Luke
More information about the krbdev