Skip Menu |
 

Subject: SPNEGO clients should not try IAKERB by default
We implemented IAKERB in 1.9. SPNEGO automatically tries all mechanisms
except for SPNEGO itself, so it tries IAKERB after regular krb5. In
practice, this is rarely useful and often serves to complicate scenarios
which would otherwise be simple. For instance, if the user has credentials
but we cannot get a service ticket for the target host, we try IAKERB
instead of failing locally; most of the time this is unnecessary work and
obscures the resulting error message.
From: ghudson@mit.edu
Subject: git commit

Don't assert GSS_C_MA_NOT_DFLT_MECH in mechglue

gss_inquire_attrs_for_mech() should not add GSS_C_MA_NOT_DFLT_MECH to
mechs which aren't the default. The attribute means "MUST NOT be used
as a default mechanism" (RFC 5587) and is intended to be used by the
mechglue. It does not mean "is not the default mech".

https://github.com/krb5/krb5/commit/2a34b898b4810e88c9137818b6cd0e762e480196
Author: Greg Hudson <ghudson@mit.edu>
Commit: 2a34b898b4810e88c9137818b6cd0e762e480196
Branch: master
src/lib/gssapi/mechglue/g_mechattr.c | 15 ---------------
1 files changed, 0 insertions(+), 15 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Limit use of IAKERB

Add the GSS_C_MA_NOT_DFLT_MECH attribute to IAKERB, and filter out
mechs with that attribute from the SPNEGO and gss_acquire_cred()
default mechanisms.

Add a -iakerb option to gss-server and pass it when performing IAKERB
tests. Also add tests using the wrong password, to verify that
gss_acquire_cred_with_password() fails with the wrong password when
using SPNEGO.

https://github.com/krb5/krb5/commit/608a65570aa868d6e03423b5de3b8f82c0bff60b
Author: Greg Hudson <ghudson@mit.edu>
Commit: 608a65570aa868d6e03423b5de3b8f82c0bff60b
Branch: master
src/appl/gss-sample/gss-server.c | 22 ++++++++--
src/appl/gss-sample/t_gss_sample.py | 60 ++++++++++++++++++++----------
src/lib/gssapi/krb5/gssapi_krb5.c | 1 +
src/lib/gssapi/mechglue/g_acquire_cred.c | 5 +-
src/lib/gssapi/spnego/spnego_mech.c | 5 +-
5 files changed, 64 insertions(+), 29 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Check mech in gss_accept_sec_context w/ no cred

If no verifier_cred_handle is passed to gss_accept_sec_context(),
accept the same mechs as we would with a default acceptor
credential--that is, not those which assert the GSS_C_MA_DEPRECATED or
GSS_C_MA_NOT_DFLT_MECH attributes.

https://github.com/krb5/krb5/commit/382556f580e3b7fb8469976988c50b67bba51f26
Author: Greg Hudson <ghudson@mit.edu>
Commit: 382556f580e3b7fb8469976988c50b67bba51f26
Branch: master
src/lib/gssapi/mechglue/g_accept_sec_context.c | 28 ++++++++++++++++++++++++
1 files changed, 28 insertions(+), 0 deletions(-)