Skip Menu |

Subject: gss_init_sec_context misbehaves on mismatched credentials
If you acquire a claimant credential with one mech type (say, krb5) and
then gss_init_sec_context with another mech type (say, SPNEGO), RFC 2743
implies that you should get back GSS_S_BAD_MECH.

What actually happens is that we proceed with default credentials for the
named mechanism.
Another reasonable behavior would be to see if the requested mechanism
supports some kind of credential import. SPNEGO would implement this SPI;
other mechansms probably wouldn't. That's a lot more work than failing
out with GSS_S_BAD_MECH, of course.