[38741] in Kerberos
Re: Hi All,
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue May 26 18:04:24 2020
To: Ming Zhi <woodhead99@gmail.com>, <kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <c76341bc-6578-06b0-7105-bd9e8f2a6ffd@mit.edu>
Date: Tue, 26 May 2020 18:01:29 -0400
MIME-Version: 1.0
In-Reply-To: <CAAYuYkr_AHv=5=Mt68ar3vPCPcnPSy17ze9RZLP_fo0oJ=atKQ@mail.gmail.com>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 5/26/20 2:54 AM, Ming Zhi wrote:
> But with GSSAPI, I cannot find an official way to set the hook between the
> `context' creation and the start of kdc traffic, as is done in a single
> function `gss_init_sec_context'. The worst situation is that I need to get
> hands dirty to change the source code.
Unfortunately I don't think we have a good solution here. We have a
"locate" pluggable interface [1] which might work (basically, have it
always return a local service, which then parses out the realm name from
the request).
I am personally fond of the idea of having a krb5 interface to control
the per-thread krb5_context object used by the GSS mech, for situations
like these. But other people have disliked the idea, so I haven't
implemented it.
[1] https://web.mit.edu/kerberos/krb5-latest/doc/plugindev/locate.html
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
