Current semantics for channel-bindings in GSSAPI

Stefan Metzmacher metze at
Tue Mar 10 11:23:35 EDT 2020

Hi Issac,

> As discussed last week, we want the following changes.
> - MIT should match Heimdal behavior and only error if client bindings
> are not all zeros.
> - Both Heimdal/MIT should return channel-bound flag if the bindings did match.
> - Both Heimdal/MIT should take advantage of KERB_AP_OPTIONS_CBT if
> present if authenticator, in which case if the server passed bindings
> they must match.
> - Both Heimdal/MIT should provide a conf option to asset the client
> system supports channel-bindings, causing KERB_AP_OPTIONS_CBT to be
> sent in any ap-req.
> I submitted wip PR #1047 upstream MIT based on the above.
> @metze, would that satisfy samba's requirements?

I looked briefly and the core changes look good,
but (as always :-) I think krb5.conf option alone are unflexible
and I'd really like to get rid of autogenerated krb5.conf files and
global exporting "KRB5_CONFIG". So APIs to turn this on from the
application would be great.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url :

More information about the krbdev mailing list