Skip Menu |
 

Subject: GSSAPI authorization data export
Implement GSSAPI function to export authorization data from ticket from
client. (Samba support)

OM_uint32
gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
krb5_keyblock **key);
Date: Fri, 15 Apr 2005 23:07:02 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: rt@krbdev.mit.edu, krbdev@mit.edu
Subject: Re: [krbdev.mit.edu #2937] GSSAPI authorization data export
RT-Send-Cc:
On Fri, Apr 15, 2005 at 09:24:43PM -0400, Jeffrey Altman via RT wrote:
Show quoted text
>
> OM_uint32
> gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
> krb5_keyblock **key);

krb5_keyblock -> not a good idea, IMO.

Please have this output an enctype as an integer and a gss_buffer_t
containing the key value -- let the caller do with this what they will,
(which may well be to make a krb5_keyblock out of the enctype and key
value).

Nico
--
Date: Sat, 16 Apr 2005 00:16:18 -0400
From: Jeffrey Altman <jaltman@columbia.edu>
To: rt-comment@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #2937] GSSAPI authorization data export
RT-Send-Cc:
Nicolas Williams wrote:

Show quoted text
> On Fri, Apr 15, 2005 at 09:24:43PM -0400, Jeffrey Altman via RT wrote:
>
>>OM_uint32
>>gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
>> krb5_keyblock **key);
>
>
> krb5_keyblock -> not a good idea, IMO.
>
> Please have this output an enctype as an integer and a gss_buffer_t
> containing the key value -- let the caller do with this what they will,
> (which may well be to make a krb5_keyblock out of the enctype and key
> value).
>
> Nico

Nico:

This was simply a note to myself that this is the function that Heimdal
implements. It is nothing more.

- Jeff
Download smime.p7s
application/x-pkcs7-signature 3.1KiB

Message body not shown because it is not plain text.

Date: Fri, 15 Apr 2005 23:19:08 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #2937] GSSAPI authorization data export
RT-Send-Cc:
On Sat, Apr 16, 2005 at 12:14:05AM -0400, Jeffrey Altman [Kermit Project] via RT wrote:
Show quoted text
> Nicolas Williams wrote:
>
> > On Fri, Apr 15, 2005 at 09:24:43PM -0400, Jeffrey Altman via RT wrote:
> >
> >>OM_uint32
> >>gss_krb5_get_subkey(const gss_ctx_id_t context_handle,
> >> krb5_keyblock **key);
> >
> >
> > krb5_keyblock -> not a good idea, IMO.
> >
> > Please have this output an enctype as an integer and a gss_buffer_t
> > containing the key value -- let the caller do with this what they will,
> > (which may well be to make a krb5_keyblock out of the enctype and key
> > value).
> >
> > Nico
>
> Nico:
>
> This was simply a note to myself that this is the function that Heimdal
> implements. It is nothing more.

Heh. Sorry!

Nico
--
To: rt@krbdev.mit.edu
Cc: krbdev@mit.edu
Subject: Re: [krbdev.mit.edu #2937] GSSAPI authorization data export
From: Sam Hartman <hartmans@mit.edu>
Date: Sun, 17 Apr 2005 19:15:57 -0400
RT-Send-Cc:
Shouldn't the export lucid context already get you the subkey?
Date: Sun, 17 Apr 2005 23:46:05 -0400
From: Jeffrey Altman <jaltman@columbia.edu>
Cc: rt@krbdev.mit.edu, krbdev@mit.edu
Subject: Re: [krbdev.mit.edu #2937] GSSAPI authorization data export
RT-Send-Cc:
Sam Hartman wrote:

Show quoted text
> Shouldn't the export lucid context already get you the subkey?

We need to decide on a common set of gss extension functions which
are going to be available on both our's and Heimdal's implementations
in order to best support the needs of application developers.
Download smime.p7s
application/x-pkcs7-signature 3.1KiB

Message body not shown because it is not plain text.

From: Luke Howard <lukeh@padl.com>
To: jaltman@columbia.edu
Subject: Re: [krbdev.mit.edu #2937] GSSAPI authorization data export
Cc: rt@krbdev.mit.edu, krbdev@mit.edu
Date: Mon, 18 Apr 2005 17:22:45 +1000
RT-Send-Cc:

Note that you don't need GSS_C_DCE_STYLE for CIFS support,
only for RPC.

-- Luke

Show quoted text
>From: Jeffrey Altman <jaltman@columbia.edu>
>Subject: Re: [krbdev.mit.edu #2937] GSSAPI authorization data export
>Cc: rt@krbdev.mit.edu, krbdev@mit.edu
>Date: Sun, 17 Apr 2005 23:46:05 -0400
>Organization: No Longer Affiliated with Columbia University in the City of New York
>
>[Attachment: a1, multipart/signed]
>Sam Hartman wrote:
>
>> Shouldn't the export lucid context already get you the subkey?
>
>We need to decide on a common set of gss extension functions which
>are going to be available on both our's and Heimdal's implementations
>in order to best support the needs of application developers.
>
>
>
>_______________________________________________
>krbdev mailing list krbdev@mit.edu
>https://mailman.mit.edu/mailman/listinfo/krbdev
>

--
Date: Mon, 18 Apr 2005 11:26:08 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Jeffrey Altman <jaltman@columbia.edu>
Cc: rt@krbdev.mit.edu, krbdev@mit.edu
Subject: Re: [krbdev.mit.edu #2937] GSSAPI authorization data export
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.5KiB
On Sun, Apr 17, 2005 at 11:46:05PM -0400, Jeffrey Altman wrote:
Show quoted text
> Sam Hartman wrote:
>
> > Shouldn't the export lucid context already get you the subkey?
>
> We need to decide on a common set of gss extension functions which
> are going to be available on both our's and Heimdal's implementations
> in order to best support the needs of application developers.

And Sun.

We should aim for a set of extensions that we can all agree to support.

Extensions which have generic utility should be worked on at KITTN, the
others should be mechanism-specific extensions which we could eventually
document at the IETF as an Informational RFC.

Generic extensions include naming extensions to get at raw and parsed
authorization data as well as credential delegation at any time (needed
to get at KRB-CREDs through a raw krb5 mechanism) and initial credential
acquisition.

Mech-specific extensions include:

- setting enctype policy on credentials
- getting enctype info from credentials and security contexts
- getting keys from contexts (Ticket session key, initiator sub-key and
acceptor sub-key)

- getting a Ticket and session key from a credential
- getting a Ticket and session key from a security context

- setting a callback function on credentials which will be called at
gss_init_sec_context() time to fill in the Authenticator checksum
field and/or at gss_accept_sec_context() time to verify the
Authenticator checksum field

- misc inquiry functions

It might be reasonable to deal with the transited field as a name
attribute. I think so, at the moment anyways.

Nico
--
To: Jeffrey Altman <jaltman@columbia.edu>
Cc: rt@krbdev.mit.edu, krbdev@MIT.EDU
Subject: Re: [krbdev.mit.edu #2937] GSSAPI authorization data export
From: Sam Hartman <hartmans@mit.edu>
Date: Sat, 23 Apr 2005 23:02:16 -0400
RT-Send-Cc:
Show quoted text
>>>>> "Jeffrey" == Jeffrey Altman <jaltman@columbia.edu> writes:

Show quoted text
Jeffrey> Sam Hartman wrote:
Show quoted text
>> Shouldn't the export lucid context already get you the subkey?

Show quoted text
Jeffrey> We need to decide on a common set of gss extension
Jeffrey> functions which are going to be available on both our's
Jeffrey> and Heimdal's implementations in order to best support
Jeffrey> the needs of application developers.


If we can agree, sure. We tried that with the lucid context
discussion and it is my reading we failed to achieve consensus in
requirements.

--Sam
Date: Mon, 25 Apr 2005 10:44:50 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: Jeffrey Altman <jaltman@columbia.edu>, rt@krbdev.mit.edu, krbdev@MIT.EDU
Subject: Re: [krbdev.mit.edu #2937] GSSAPI authorization data export
RT-Send-Cc:
On Sat, Apr 23, 2005 at 11:02:16PM -0400, Sam Hartman wrote:
Show quoted text
> >>>>> "Jeffrey" == Jeffrey Altman <jaltman@columbia.edu> writes:
>
> Jeffrey> Sam Hartman wrote:
> >> Shouldn't the export lucid context already get you the subkey?
>
> Jeffrey> We need to decide on a common set of gss extension
> Jeffrey> functions which are going to be available on both our's
> Jeffrey> and Heimdal's implementations in order to best support
> Jeffrey> the needs of application developers.
>
>
> If we can agree, sure. We tried that with the lucid context
> discussion and it is my reading we failed to achieve consensus in
> requirements.

I sure wasn't being helpful then though :^(

Nico
--