[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: No GSSAPI Output Token without GSS_C_MUTUAL_FLAG

To: heimdal-discuss@sics.se
Subject: Re: No GSSAPI Output Token without GSS_C_MUTUAL_FLAG
From: Michael B Allen <mba2000@ioplex.com>
Date: Sun, 20 Nov 2005 20:57:32 -0500
In-Reply-To: <20051120172728.01e83a87.mba2000@ioplex.com>
References: <20051120172728.01e83a87.mba2000@ioplex.com>
Sender: owner-heimdal-discuss@sics.se

Nevermind. From RFC1964:

1.1.2. Response Tokens

   A context establishment sequence based on the Kerberos V5 mechanism
   will perform one-way authentication (without confirmation or any
   return token from target to initiator in response to the initiator's
   KRB_AP_REQ) if the mutual_req bit is not set in the application's
   call to GSS_Init_sec_context().

So the answer is no, no AP-REP is to be sent if mutual is not requested.

The odd thing is smbclient doesn't request mutual. I guess Windows doesn't
honor this bit or obviously it wouldn't work. Err.

Mike

On Sun, 20 Nov 2005 17:27:28 -0500
Michael B Allen <mba2000@ioplex.com> wrote:

> I've noticed that gssapi/gss_krb5_accept_sec_context() will not create
> an output token if the AP-REQ does not request mutual authentication. As
> a result gss_accept_sec_context returns 0 with an empty output token. Is
> this correct? Shouldn't an AP-REP be sent back if only to say "ok"?
> 
> Mike
>

References:
- No GSSAPI Output Token without GSS_C_MUTUAL_FLAG
  - From: Michael B Allen <mba2000@ioplex.com>

Prev by Date: No GSSAPI Output Token without GSS_C_MUTUAL_FLAG
Next by Date: No Subject
Prev by thread: No GSSAPI Output Token without GSS_C_MUTUAL_FLAG
Next by thread: No Subject
Index(es):
- Date
- Thread