[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SPNEGO and credentials delegation

To: heimdal-discuss@sics.se
Subject: SPNEGO and credentials delegation
From: Oleg Sharoiko <os@rsu.ru>
Date: Tue, 11 Mar 2008 16:14:53 +0300
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Reply-To: heimdal-discuss@sics.se, Oleg Sharoiko <os@rsu.ru>

It looks like there exist two issues which affect credentials delegation
when SPNEGO is in use:

1. It looks like acceptor_start (lib/gssapi/spnego/accept_sec_context.c)
always puts GSS_C_NO_CREDENTIAL into *delegated_cred_handle. Even if the
lower layer returns valid credentials and puts them into
*delegated_cred_handle (lines 641-663) they are being overwritten later
with ctx->delegated_cred_id which seems to always be GSS_C_NO_CREDENTIAL
(lines 743-746) I guess that either lines 743-746 should be removed or
delegated_cred_handle should be replaced with ctx->delegated_cred_id in
lines 641-663.

2. There are two methods: _gss_spnego_inquire_sec_context_by_oid and
_gss_spnego_inquire_cred_by_oid, which are implemented but not declared
in lib/gssapi/spnego/external.c
Are there any reasons for them to be disabled?

-- 
Oleg Sharoiko.
Software and Network Engineer
Computer Center of Rostov State University.

Follow-Ups:
- Re: SPNEGO and credentials delegation
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: pagsh on OSX broken?
Next by Date: arcfour-hmac checksum salt value
Prev by thread: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
Next by thread: Re: SPNEGO and credentials delegation
Index(es):
- Date
- Thread