[20058] in Kerberos_V5_Development
Re: Current semantics for channel-bindings in GSSAPI
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Tue Mar 10 11:35:28 2020
MIME-Version: 1.0
In-Reply-To: <73d92c4b-ac14-b6ed-40ca-3c2ddc89dcc9@samba.org>
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 10 Mar 2020 16:34:38 +0100
Message-ID: <CAC-fF8RMQCFbLSZ=dBqpOuPSxGtpP=CBAYo_pA--M90pqwcDsw@mail.gmail.com>
To: Stefan Metzmacher <metze@samba.org>
Cc: "krbdev@mit.edu Dev List" <krbdev@mit.edu>, Simo Sorce <simo@redhat.com>,
Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Tue, Mar 10, 2020 at 4:23 PM Stefan Metzmacher <metze@samba.org> wrote:
>
> Hi Issac,
>
> > As discussed last week, we want the following changes.
> >
> > - MIT should match Heimdal behavior and only error if client bindings
> > are not all zeros.
> > - Both Heimdal/MIT should return channel-bound flag if the bindings did match.
> > - Both Heimdal/MIT should take advantage of KERB_AP_OPTIONS_CBT if
> > present if authenticator, in which case if the server passed bindings
> > they must match.
> > - Both Heimdal/MIT should provide a conf option to asset the client
> > system supports channel-bindings, causing KERB_AP_OPTIONS_CBT to be
> > sent in any ap-req.
> >
> > I submitted wip PR #1047 upstream MIT based on the above.
> >
> > @metze, would that satisfy samba's requirements?
>
> I looked briefly and the core changes look good,
> but (as always :-) I think krb5.conf option alone are unflexible
> and I'd really like to get rid of autogenerated krb5.conf files and
> global exporting "KRB5_CONFIG". So APIs to turn this on from the
> application would be great.
Ok, so we'd need a new cred-option to override it by the application.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
