Current semantics for channel-bindings in GSSAPI
iboukris at gmail.com
Tue Mar 10 11:34:38 EDT 2020
On Tue, Mar 10, 2020 at 4:23 PM Stefan Metzmacher <metze at samba.org> wrote:
> Hi Issac,
> > As discussed last week, we want the following changes.
> > - MIT should match Heimdal behavior and only error if client bindings
> > are not all zeros.
> > - Both Heimdal/MIT should return channel-bound flag if the bindings did match.
> > - Both Heimdal/MIT should take advantage of KERB_AP_OPTIONS_CBT if
> > present if authenticator, in which case if the server passed bindings
> > they must match.
> > - Both Heimdal/MIT should provide a conf option to asset the client
> > system supports channel-bindings, causing KERB_AP_OPTIONS_CBT to be
> > sent in any ap-req.
> > I submitted wip PR #1047 upstream MIT based on the above.
> > @metze, would that satisfy samba's requirements?
> I looked briefly and the core changes look good,
> but (as always :-) I think krb5.conf option alone are unflexible
> and I'd really like to get rid of autogenerated krb5.conf files and
> global exporting "KRB5_CONFIG". So APIs to turn this on from the
> application would be great.
Ok, so we'd need a new cred-option to override it by the application.
More information about the krbdev