[prev in list] [next in list] [prev in thread] [next in thread]
List: krbdev
Subject: Re: GSS/SPNEGO/mechglue/krb5 patches for 1.8
From: Nicolas Williams <Nicolas.Williams () sun ! com>
Date: 2010-02-08 18:40:19
Message-ID: 20100208184019.GH1061 () Sun ! COM
[Download RAW message or body]
On Mon, Feb 08, 2010 at 01:25:39PM -0500, Greg Hudson wrote:
> On Fri, 2010-02-05 at 16:04 -0500, Nicolas Williams wrote:
> > I am, however, starting to think that SPNEGO should be integrated more
> > closely with the mechglue. The idea being that if you pass in a
> > credential with elements for NTLM, Kerberos, PKU2U, mech_dh, _and_
> > SPNEGO, then those are the mechanisms from which SPNEGO will negotiate,
> > without having to separately call gss_set_neg_mechs().
>
> Now that I have a slightly better understanding of the landscape... this
> feels awkward. When you acquire credentials for SPNEGO, at least in our
> implementation, the SPNEGO code will go out and get its own union
> credential structure for all of the supported mechanisms. So in your
> usage scenario, the app would be holding a union cred structure
> containing Kerberos creds at the top-level union layer, and then again
> inside the SPNEGO credentials.
Let's go through this:
App->mechglue: gss_acquire_cred(..., GSS_C_NO_NAME, desired_mechs={krb5,
ntlm,
spnego},
...)
mechglue->krb5: gss_acquire_cred(..., GSS_C_NO_NAME, ...)
mechglue->ntlm: gss_acquire_cred(..., GSS_C_NO_NAME, ...)
mechglue->spnego: gss_acquire_cred(..., GSS_C_NO_NAME, ...)
spnego->mechglue: re-enter mechglue
gss_acquire_cred(..., GSS_C_NO_NAME,
desired_mechs={all-but-spnego}, ...)
mechglue: acquire a new cred, but this time for
all mechs except spnego
mechglue->krb5: ...
mechglue->ntlm: ...
...
App->mechglue: gss_init/accept_sec_context(..., <cred from above>, ...)
with SPNEGO as the mech
mechglue->spnego: gss_set_neg_mechs(..., spnego cred, neg_mechs={krb5, ntlm})
mechglue->spnego: gss_init/accept_sec_context(...)
spnego->mechglue: re-enter to handle gss_init/accept_sec_context()
for the actual mech
To me this seems perfectly natural.
Nico
--
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic