[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: No GSSAPI Output Token without GSS_C_MUTUAL_FLAG

Nevermind. From RFC1964:

1.1.2. Response Tokens

   A context establishment sequence based on the Kerberos V5 mechanism
   will perform one-way authentication (without confirmation or any
   return token from target to initiator in response to the initiator's
   KRB_AP_REQ) if the mutual_req bit is not set in the application's
   call to GSS_Init_sec_context().

So the answer is no, no AP-REP is to be sent if mutual is not requested.

The odd thing is smbclient doesn't request mutual. I guess Windows doesn't
honor this bit or obviously it wouldn't work. Err.


On Sun, 20 Nov 2005 17:27:28 -0500
Michael B Allen <mba2000@ioplex.com> wrote:

> I've noticed that gssapi/gss_krb5_accept_sec_context() will not create
> an output token if the AP-REQ does not request mutual authentication. As
> a result gss_accept_sec_context returns 0 with an empty output token. Is
> this correct? Shouldn't an AP-REP be sent back if only to say "ok"?
> Mike