Project review: Interposer mechanisms

Simo Sorce simo at
Fri Oct 5 08:27:44 EDT 2012

On Fri, 2012-10-05 at 16:13 +1000, Luke Howard wrote:
> On 05/10/2012, at 2:49 PM, Simo Sorce <simo at> wrote:
> > When I started working on this, the code was different, but in the final
> > code I do not see anything that would prevent an interposer to 'try' to
> > interpose SPNEGO, just like any other mechanism.
> Right, but then concrete mechanisms which weren't interposed are then
> run in the proxy address space, which (according to your previous
> mail) may not work for mechanisms other than Kerberos. (Or maybe it
> would?)

The plugin I wrote is capable of re-entering gssapi so it could even
simply re-implement SPNEGO with local mechanisms.

ATM nothing but kerberos is really tested with the gssproxy
daemon/interposer, so something may simply fail, but shouldn't be too
hard to 'fix'.


Simo Sorce * Red Hat, Inc * New York

More information about the krbdev mailing list