Current semantics for channel-bindings in GSSAPI
Stefan Metzmacher
metze at samba.org
Tue Mar 10 11:23:35 EDT 2020
Hi Issac,
> As discussed last week, we want the following changes.
>
> - MIT should match Heimdal behavior and only error if client bindings
> are not all zeros.
> - Both Heimdal/MIT should return channel-bound flag if the bindings did match.
> - Both Heimdal/MIT should take advantage of KERB_AP_OPTIONS_CBT if
> present if authenticator, in which case if the server passed bindings
> they must match.
> - Both Heimdal/MIT should provide a conf option to asset the client
> system supports channel-bindings, causing KERB_AP_OPTIONS_CBT to be
> sent in any ap-req.
>
> I submitted wip PR #1047 upstream MIT based on the above.
>
> @metze, would that satisfy samba's requirements?
I looked briefly and the core changes look good,
but (as always :-) I think krb5.conf option alone are unflexible
and I'd really like to get rid of autogenerated krb5.conf files and
global exporting "KRB5_CONFIG". So APIs to turn this on from the
application would be great.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20200310/68cfa240/attachment-0001.bin
More information about the krbdev
mailing list