Skip Menu |

Subject: SPNEGO should filter mechs on acceptor with gss_acquire_cred()
Date: Tue, 29 Oct 2019 14:41:16 -0400
In SPNEGO, the initiator proposes a list of mechanisms and the acceptor picks one.  In the code, the list of negotiable mechanisms on each side is taken from the credential if one is provided; otherwise gss_indicate_mechs() is used (with SPNEGO removed, and after tickets 8021 and 8217 some mechs are filtered out by attribute).  In the latter case, the initiator but not the acceptor filters the mechs using gss_acquire_cred().  This distinction in behavior dates back to the original import of the Solaris SPNEGO code.

I believe the acceptor should also filter mechs using gss_acquire_cred(), to reduce the likelihood that it will choose a mechanism it cannot accept.  This will also provide greater consistency between using the default verifier_cred_handle and using an explicitly acquired verifier_cred_handle obtained with the default name and mech list.
Subject: git commit

Restrict SPNEGO acceptor mechs by cred acquisition

When the default cred is used, the SPNEGO initiator restricts the list
of negotiable mechanisms to those we can acquire a cred for, so that
we don't propose a mech we know can't work. The acceptor should do
the same.
Author: Greg Hudson <>
Commit: c088f56a62702a2cc99c26185681efee1555b7fa
Branch: master
src/lib/gssapi/spnego/spnego_mech.c | 12 ++++--------
1 files changed, 4 insertions(+), 8 deletions(-)