Current semantics for channel-bindings in GSSAPI
iboukris at gmail.com
Tue Mar 10 09:53:18 EDT 2020
As discussed last week, we want the following changes.
- MIT should match Heimdal behavior and only error if client bindings
are not all zeros.
- Both Heimdal/MIT should return channel-bound flag if the bindings did match.
- Both Heimdal/MIT should take advantage of KERB_AP_OPTIONS_CBT if
present if authenticator, in which case if the server passed bindings
they must match.
- Both Heimdal/MIT should provide a conf option to asset the client
system supports channel-bindings, causing KERB_AP_OPTIONS_CBT to be
sent in any ap-req.
I submitted wip PR #1047 upstream MIT based on the above.
@metze, would that satisfy samba's requirements?
More information about the krbdev