Ticket History #7044: gss_init_sec_context misbehaves on mismatched credentials

RT for krbdev.mit.edu

History Show all quoted text — Show full headers

# Wed Dec 07 11:52:47 2011 ghudson@mit.edu (Greg Hudson) - Ticket created

Subject:

gss_init_sec_context misbehaves on mismatched credentials

Download (untitled) / with headers
text/plain 289B

If you acquire a claimant credential with one mech type (say, krb5) and
then gss_init_sec_context with another mech type (say, SPNEGO), RFC 2743
implies that you should get back GSS_S_BAD_MECH.

What actually happens is that we proceed with default credentials for the
named mechanism.

# Wed Dec 07 11:54:13 2011 ghudson@mit.edu (Greg Hudson) - Comments added

Download (untitled) / with headers
text/plain 256B

Another reasonable behavior would be to see if the requested mechanism
supports some kind of credential import. SPNEGO would implement this SPI;
other mechansms probably wouldn't. That's a lot more work than failing
out with GSS_S_BAD_MECH, of course.