Skip Menu |

Download (untitled) / with headers
text/plain 3.4KiB
From klmitch@MIT.EDU Tue Nov 12 19:08:48 1996
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU []) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id TAA29003 for <bugs@RT-11.MIT.EDU>; Tue, 12 Nov 1996 19:08:48 -0500
Received: from STARKILLER.MIT.EDU by MIT.EDU with SMTP
id AA04830; Tue, 12 Nov 96 19:08:47 EST
Received: by starkiller.MIT.EDU (5.x/4.7) id AA24971; Tue, 12 Nov 1996 19:08:47 -0500
Message-Id: <9611130008.AA24971@starkiller.MIT.EDU>
Date: Tue, 12 Nov 1996 19:08:47 -0500
From: klmitch@MIT.EDU
Reply-To: klmitch@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: GSSAPI fails to handle forwardable credentials
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 183
>Category: krb5-libs
>Synopsis: GSSAPI fails to handle forwardable credentials
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: marc
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Nov 12 19:09:00 EST 1996
>Last-Modified: Tue Sep 09 14:23:29 EDT 1997
>Originator: Kevin L Mitchell
Show quoted text
>Release: 1.0-development

System: SunOS starkiller 5.4 Generic_101945-37 sun4m sparc

Show quoted text
A test program I wrote does the following (the -d option tells it to
attempt to delegate credentials):

[starkiller]-[~]-> /var/klmitch/mycode/gss-test/client -d -s host starkiller this is a test
Message: this is a test
Service: host@starkiller
Host : starkiller
Port : 4444
Deleg : on
GSS-API error initializing context: Miscellaneous failure
GSS-API error initializing context: Generic error (see e-text)
[starkiller]-[~]-> /var/klmitch/mycode/gss-test/client -s host starkiller this is a test
Message: this is a test
Service: host@starkiller
Host : starkiller
Port : 4444
Deleg : off
Sending init_sec_context token (size 491)...continue needed...
(...and so on...)

all of which means that the GSSAPI fails to handle delegation of credentials.
Previously, it would forward them, but would fail to return the forwarded
credentials to the original caller (though it would set the delegation
Show quoted text
Perform a GSS-API init_sec_context/accept_sec_context handshake with
credential delegation turned on.
Show quoted text

Show quoted text

State-Changed-From-To: open-analyzed
State-Changed-By: marc
State-Changed-When: Wed Nov 20 22:15:39 1996

If GSS_C_DELEG_FLAG was specified, but the credentials weren't
actually forwardable, then gss_init_sec_context() would fail. Now, it
will succeed, but GSS_C_DELEG_FLAG will be cleared in the output

I haven't yet fixed the server to create a gss_cred_id_t with the
delegated credential, but I know what I need to do.

Kevin, since you have some test code for this, can you please see if
gss_init_sec_context() dtrt, both with forwardable (kinit -f) and
non-forwardable tickets? If you can't do this before Monday, can you
point me at the code? Thanks!

Responsible-Changed-From-To: krb5-unassigned->marc
Responsible-Changed-By: marc
Responsible-Changed-When: Wed Nov 20 22:23:32 1996

mine now, I guess.

State-Changed-From-To: analyzed-closed
State-Changed-By: klmitch
State-Changed-When: Tue Sep 9 14:19:18 1997

added code to actually deal with generating a credential handle.
This will break if we start using the stuff in the "generic"
subdirectory because that stuff uses a different type of credential
handle, but the calling semantics force me to generate my own

Show quoted text