[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: No GSSAPI Output Token without GSS_C_MUTUAL_FLAG
Nevermind. From RFC1964:
1.1.2. Response Tokens
A context establishment sequence based on the Kerberos V5 mechanism
will perform one-way authentication (without confirmation or any
return token from target to initiator in response to the initiator's
KRB_AP_REQ) if the mutual_req bit is not set in the application's
call to GSS_Init_sec_context().
So the answer is no, no AP-REP is to be sent if mutual is not requested.
The odd thing is smbclient doesn't request mutual. I guess Windows doesn't
honor this bit or obviously it wouldn't work. Err.
On Sun, 20 Nov 2005 17:27:28 -0500
Michael B Allen <firstname.lastname@example.org> wrote:
> I've noticed that gssapi/gss_krb5_accept_sec_context() will not create
> an output token if the AP-REQ does not request mutual authentication. As
> a result gss_accept_sec_context returns 0 with an empty output token. Is
> this correct? Shouldn't an AP-REP be sent back if only to say "ok"?