[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gss_display_name escaping space?

On Tue, 12 Jun 2007 20:09:30 +0100
Simon Wilkinson <sxw@inf.ed.ac.uk> wrote:

> On 12 Jun 2007, at 19:52, Michael B Allen wrote:
> > I'm seeing 0.7.2 gss_display_name returning a UPN with it's space
> > escaped. Meaning if the UPN is "Test User@EXAMPLE.COM",  
> > gss_display_name
> > returns "Test\ User@EXAMPLE.COM".
> >
> > Is this right? I'm trying to figure out where this should be fixed.
> When I wrote the original GSSAPI OpenSSH patch, I used  
> gss_display_name as the mechanism to obtain the Kerberos principal  
> that the user had authenticated as. It was then explained to me that  
> gss_display_name does exactly what it says on the tin - it's for  
> human readable display purposes only.
>  From RFC2743:
> "  GSS_Display_name() implementations
>     output a printable syntax selected as appropriate to their
>     operational environments; this selection is a local matter."
> There's no guarantee that the name returned will match between  
> implementations, or even be equivalent to the underlying Kerberos  
> principal. If you're doing anything in the way of comparisons, you  
> should use gss_export_name, whose output is strictly defined in the  
> Kerberos GSSAPI RFC.
> There are a surprisingly large number of packages out there that get  
> this wrong ...

Hi Simon,

I understand.

Unfortunately, for some reason the mechglue branch version of 0.7.2
I'm using crashes in gss_export_name and I'm not sure why. It looks
like the gss_name_t type is getting lost somewhere in the layers and
krb5_unparse_name ends up getting some garbage. Rather than try to fix
the obsolete branch I'm using I have simply unescaped the spaces. Seems
to work but certainly not optimal.

I can't wait to move to 0.8 but I have bigger fish to fry.


Michael B Allen
PHP Active Directory Kerberos SSO