RT RT/krbdev.mit.edu: Ticket #7044 gss_init_sec_context misbehaves on mismatched credentials Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
7044
Status
new
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Tags
Version_reported
Version_Fixed
Target_Version
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
 
 Dates  
Created: Wed Dec 7 11:52:46 2011
Starts: Not set
Started: Not set
Last Contact: Not set
Due: Not set
Updated: Wed Dec 7 11:54:13 2011 by ghudson
 

 People  
Owner
 Nobody
Requestors
 ghudson@mit.edu
Cc
 
AdminCc
 
 

 More about Greg Hudson  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Wed Dec  7 11:52:47 2011  ghudson - Ticket created    
     
Subject: gss_init_sec_context misbehaves on mismatched credentials

If you acquire a claimant credential with one mech type (say, krb5) and
then gss_init_sec_context with another mech type (say, SPNEGO), RFC 2743
implies that you should get back GSS_S_BAD_MECH.

What actually happens is that we proceed with default credentials for the
named mechanism.


Download (untitled) 289b
      Wed Dec  7 11:54:13 2011  ghudson - Comments added    
     
Another reasonable behavior would be to see if the requested mechanism
supports some kind of credential import.  SPNEGO would implement this SPI;
other mechansms probably wouldn't.  That's a lot more work than failing
out with GSS_S_BAD_MECH, of course.


Download (untitled) 256b