[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: gss_display_name escaping space?
On Tue, 12 Jun 2007 20:09:30 +0100
Simon Wilkinson <email@example.com> wrote:
> On 12 Jun 2007, at 19:52, Michael B Allen wrote:
> > I'm seeing 0.7.2 gss_display_name returning a UPN with it's space
> > escaped. Meaning if the UPN is "Test User@EXAMPLE.COM",
> > gss_display_name
> > returns "Test\ User@EXAMPLE.COM".
> > Is this right? I'm trying to figure out where this should be fixed.
> When I wrote the original GSSAPI OpenSSH patch, I used
> gss_display_name as the mechanism to obtain the Kerberos principal
> that the user had authenticated as. It was then explained to me that
> gss_display_name does exactly what it says on the tin - it's for
> human readable display purposes only.
> From RFC2743:
> " GSS_Display_name() implementations
> output a printable syntax selected as appropriate to their
> operational environments; this selection is a local matter."
> There's no guarantee that the name returned will match between
> implementations, or even be equivalent to the underlying Kerberos
> principal. If you're doing anything in the way of comparisons, you
> should use gss_export_name, whose output is strictly defined in the
> Kerberos GSSAPI RFC.
> There are a surprisingly large number of packages out there that get
> this wrong ...
Unfortunately, for some reason the mechglue branch version of 0.7.2
I'm using crashes in gss_export_name and I'm not sure why. It looks
like the gss_name_t type is getting lost somewhere in the layers and
krb5_unparse_name ends up getting some garbage. Rather than try to fix
the obsolete branch I'm using I have simply unescaped the spaces. Seems
to work but certainly not optimal.
I can't wait to move to 0.8 but I have bigger fish to fry.
Michael B Allen
PHP Active Directory Kerberos SSO