[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPNEGO and credentials delegation

To: heimdal-discuss@sics.se, Oleg Sharoiko <os@rsu.ru>
Subject: Re: SPNEGO and credentials delegation
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Sun, 16 Mar 2008 02:51:38 -0400
In-Reply-To: <1205241293.1240.47.camel@brain.cc.rsu.ru>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <1205241293.1240.47.camel@brain.cc.rsu.ru>
Reply-To: heimdal-discuss@sics.se, Love Hörnquist Åstrand <lha@kth.se>

11 mar 2008 kl. 09.14 skrev Oleg Sharoiko:

> It looks like there exist two issues which affect credentials  
> delegation
> when SPNEGO is in use:
>
> 1. It looks like acceptor_start (lib/gssapi/spnego/ 
> accept_sec_context.c)
> always puts GSS_C_NO_CREDENTIAL into *delegated_cred_handle. Even if  
> the
> lower layer returns valid credentials and puts them into
> *delegated_cred_handle (lines 641-663) they are being overwritten  
> later
> with ctx->delegated_cred_id which seems to always be  
> GSS_C_NO_CREDENTIAL
> (lines 743-746) I guess that either lines 743-746 should be removed or
> delegated_cred_handle should be replaced with ctx->delegated_cred_id  
> in
> lines 641-663.

That was a misdirected try to make the delegated credential to be  
returned in the last call, the gss api interface doesn't seem to have  
such a limitation. Updated the code and will commit it when I get back  
to network land.

> 2. There are two methods: _gss_spnego_inquire_sec_context_by_oid and
> _gss_spnego_inquire_cred_by_oid, which are implemented but not  
> declared
> in lib/gssapi/spnego/external.c
> Are there any reasons for them to be disabled?

Not  really, added them and the two other missing glue function in the  
SPEGO layer.

Thanks!
Love

References:
- SPNEGO and credentials delegation
  - From: Oleg Sharoiko <os@rsu.ru>

Prev by Date: Re: Separate keytab with mod_auth_kerb
Next by Date: kdc.conf
Prev by thread: SPNEGO and credentials delegation
Next by thread: arcfour-hmac checksum salt value
Index(es):
- Date
- Thread