Use of kdc_send_hook with gss_init_sec_context

Greg Hudson ghudson at
Fri Feb 4 13:34:15 EST 2022

On 2/4/22 11:57 AM, Isaac Boukris wrote:
>>> Is there a way to use 'kdc_send_hook' with 'gss_init_sec_context'?
>>> If there isn't, can we add something like 'gsskrb5_set_krb5_context'?

I've floated this idea before, as a way to bridge libkrb5 functionality
(such as krb5_init_context_profile()) and GSS.

Nico dislikes the idea because he doesn't like anything that encourages
mechanism-specific code in GSS applications.  He tends to favor name
attributes as the extension point when possible.

Sam has raised a more specific objection: if the context set by
gsskrb5_set_krb5_context() is per-thread (which is the easiest way to
get around contexts not being thread-safe), then it could be a source of
subtle bugs if someone creates a GSS object in one thread and gets
different behavior when they use it in another thread.

I don't totally understand your use case.  If I read correctly, the
platform (wasm) requires the use of websockets rather than TCP or UDP.
So what code would register the send hook and GSS context?  Does every
application have to be modified in order to work with the platform?
That doesn't seem like a good long-term design compared to solving the
problem within libkrb5.

More information about the krbdev mailing list