Skip Menu |

Subject: Name handling does not conform to RFC2744
From: Simo Sorce <>
To: krb5-bugs <>
Date: Fri, 19 Jun 2015 16:19:16 -0400
Download (untitled) / with headers
text/plain 1.3KiB
In RFC2744 3.10 it says:
"A single gss_name_t object may contain
multiple names from different namespaces, but all names should
refer to the same entity. An example of such an internal name
would be the name returned from a call to the gss_inquire_cred
routine, when applied to a credential containing credential
elements for multiple authentication mechanisms employing
different namespaces."

I found myself in exactly this situation (using gss_inquire_cred) and currently
libgssapi fails to handle the request appropriately.

In my code I am using gss_acquire_cred() with usage GSS_C_ACCEPT in order to
get a "server" name to be used. In my configuration I have 2 mechanism that have
valid server credentials, however only the first mechanism name is returned when
I call gss_inquire_cred().

Later on I use this "server" name as input for gss_init_sec_context() which is
used in a loop with gss_accept_sec_context() in order to validate user credentials
obtained via gss_acquire_cred_with_password()

If the credentials being tested are valid only for the second mechanism (using SPNEGO
to negotiate a valid mechanism for example) then the second mechanism fail to work, as
the name used is valid only for the first mechanism.

A gss_union_name_t will need to be introduced to fix this problem.


Simo Sorce * Red Hat, Inc * New York