[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gss_display_name escaping space?

To: Simon Wilkinson <sxw@inf.ed.ac.uk>
Subject: Re: gss_display_name escaping space?
From: Michael B Allen <mba2000@ioplex.com>
Date: Tue, 12 Jun 2007 17:15:07 -0400
Cc: heimdal-discuss@sics.se
In-Reply-To: <5DEAE92F-AC66-41C2-8432-658BE55F382A@inf.ed.ac.uk>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: IOPLEX Software
References: <20070612145231.0343e7bf.mba2000@ioplex.com><5DEAE92F-AC66-41C2-8432-658BE55F382A@inf.ed.ac.uk>
Reply-To: heimdal-discuss@sics.se, Michael B Allen <mba2000@ioplex.com>

On Tue, 12 Jun 2007 20:09:30 +0100
Simon Wilkinson <sxw@inf.ed.ac.uk> wrote:

> 
> On 12 Jun 2007, at 19:52, Michael B Allen wrote:
> 
> > I'm seeing 0.7.2 gss_display_name returning a UPN with it's space
> > escaped. Meaning if the UPN is "Test User@EXAMPLE.COM",  
> > gss_display_name
> > returns "Test\ User@EXAMPLE.COM".
> >
> > Is this right? I'm trying to figure out where this should be fixed.
> 
> When I wrote the original GSSAPI OpenSSH patch, I used  
> gss_display_name as the mechanism to obtain the Kerberos principal  
> that the user had authenticated as. It was then explained to me that  
> gss_display_name does exactly what it says on the tin - it's for  
> human readable display purposes only.
>  From RFC2743:
> 
> "  GSS_Display_name() implementations
>     output a printable syntax selected as appropriate to their
>     operational environments; this selection is a local matter."
> 
> There's no guarantee that the name returned will match between  
> implementations, or even be equivalent to the underlying Kerberos  
> principal. If you're doing anything in the way of comparisons, you  
> should use gss_export_name, whose output is strictly defined in the  
> Kerberos GSSAPI RFC.
> 
> There are a surprisingly large number of packages out there that get  
> this wrong ...

Hi Simon,

I understand.

Unfortunately, for some reason the mechglue branch version of 0.7.2
I'm using crashes in gss_export_name and I'm not sure why. It looks
like the gss_name_t type is getting lost somewhere in the layers and
krb5_unparse_name ends up getting some garbage. Rather than try to fix
the obsolete branch I'm using I have simply unescaped the spaces. Seems
to work but certainly not optimal.

I can't wait to move to 0.8 but I have bigger fish to fry.

Thanks,
Mike

-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/

References:
- gss_display_name escaping space?
  - From: Michael B Allen <mba2000@ioplex.com>

Prev by Date: gss_display_name escaping space?
Next by Date: Re: gss_display_name escaping space?
Prev by thread: gss_display_name escaping space?
Next by thread: Re: gss_display_name escaping space?
Index(es):
- Date
- Thread