gss_acquire_cred_with_password() and mech selection

Greg Hudson ghudson at
Fri Jul 10 13:21:43 EDT 2015

I noticed the other night that, after the change to use a unique memory
ccache for gss_acquire_cred_with_password(), we have some poor behavior:

* When called with a desired_mechs of SPNEGO, we perform three AS-REQs,
  one for each non-IAKERB krb5 variant.

* When called with a desired_mechs of GSS_C_NO_OID_SET, we perform six
  AS-REQs, three inside SPNEGO and three outside.
describes some steps which could improve this and similar problems.  But
I also wonder what the best mechglue behavior is for the function when
called with a desired_mechs of GSS_C_NO_OID_SET.

I believe Heimdal (on master) behaves like MIT krb5, except that it
doesn't have the "three OIDs for krb5" problem.  So I would expect it to
perform two AS-REQs, one inside SPNEGO and one outside, and also to
acquire creds with a password for every other mech twice.

Solaris acquires a cred for the default mech (typically krb5).  This is
also the Solaris behavior for gss_acquire_cred(), and was the MIT krb5
behavior for gss_acquire_cred() before 1.10.  That behavior isn't very
nice for acceptor creds, but gss_acquire_cred_with_password() is
basically only used to get initiator creds.

[I haven't CC'd heimdal-discuss because I know the most likely
interested parties are on this list, but feel free to loop in anyone
else on replies.]

More information about the krbdev mailing list