Limit use of deprecated krb5 mech OIDs Filter out mechs with the GSS_C_MA_DEPRECATED attribute from the set of mechanisms obtained by SPNEGO, and from the set used when gss_acquire_cred() is called with no desired_mechs attribute. SPNEGO acceptors will still accept the old and wrong krb5 OIDs, but SPNEGO initiators will not offer them. According to [MS-SPNG], only Windows 2000 does not recognize the standard krb5 OID, and it is client-only. In gss-client.c, use the standard krb5 OID for the -krb5 option, as acceptors who call gss_acquire_cred() with no desired_mechs to create an acceptor cred will no longer accept the old or wrong krb5 OIDs. https://github.com/krb5/krb5/commit/7fd55f171e4f0bdcdfe70a912dfa6b6be92b1479 Author: Greg Hudson Commit: 7fd55f171e4f0bdcdfe70a912dfa6b6be92b1479 Branch: master src/appl/gss-sample/gss-client.c | 2 +- src/lib/gssapi/mechglue/g_acquire_cred.c | 11 +++++++++-- src/lib/gssapi/spnego/spnego_mech.c | 14 +++++++++++--- 3 files changed, 21 insertions(+), 6 deletions(-)