[prev in list] [next in list] [prev in thread] [next in thread] 

List:       krbdev
Subject:    Re: GSS/SPNEGO/mechglue/krb5 patches for 1.8
From:       Nicolas Williams <Nicolas.Williams () sun ! com>
Date:       2010-02-08 18:40:19
Message-ID: 20100208184019.GH1061 () Sun ! COM
[Download RAW message or body]

On Mon, Feb 08, 2010 at 01:25:39PM -0500, Greg Hudson wrote:
> On Fri, 2010-02-05 at 16:04 -0500, Nicolas Williams wrote:
> > I am, however, starting to think that SPNEGO should be integrated more
> > closely with the mechglue.  The idea being that if you pass in a
> > credential with elements for NTLM, Kerberos, PKU2U, mech_dh, _and_
> > SPNEGO, then those are the mechanisms from which SPNEGO will negotiate,
> > without having to separately call gss_set_neg_mechs().
> 
> Now that I have a slightly better understanding of the landscape... this
> feels awkward.  When you acquire credentials for SPNEGO, at least in our
> implementation, the SPNEGO code will go out and get its own union
> credential structure for all of the supported mechanisms.  So in your
> usage scenario, the app would be holding a union cred structure
> containing Kerberos creds at the top-level union layer, and then again
> inside the SPNEGO credentials.

Let's go through this:

App->mechglue: gss_acquire_cred(..., GSS_C_NO_NAME, desired_mechs={krb5,
                                                                  ntlm,
								  spnego},
								  ...)
     mechglue->krb5: gss_acquire_cred(..., GSS_C_NO_NAME, ...)
     mechglue->ntlm: gss_acquire_cred(..., GSS_C_NO_NAME, ...)
     mechglue->spnego: gss_acquire_cred(..., GSS_C_NO_NAME, ...)
               spnego->mechglue: re-enter mechglue
		   gss_acquire_cred(..., GSS_C_NO_NAME,
				    desired_mechs={all-but-spnego}, ...)
                       mechglue: acquire a new cred, but this time for
		                 all mechs except spnego
                       mechglue->krb5: ...
                       mechglue->ntlm: ...
		       ...
App->mechglue: gss_init/accept_sec_context(..., <cred from above>, ...)
               with SPNEGO as the mech

     mechglue->spnego: gss_set_neg_mechs(..., spnego cred, neg_mechs={krb5, ntlm})
     mechglue->spnego: gss_init/accept_sec_context(...)
               spnego->mechglue: re-enter to handle gss_init/accept_sec_context()
			         for the actual mech

To me this seems perfectly natural.

Nico
-- 
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic