[20095] in Kerberos_V5_Development
Re: NegoEx broke GSSAPI in BIND 9
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu May 21 13:37:15 2020
To: =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= <ondrej@isc.org>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <ee97a794-d1e6-ba95-2031-8cc35ae0bcde@mit.edu>
Date: Thu, 21 May 2020 13:36:47 -0400
MIME-Version: 1.0
In-Reply-To: <64B463AE-4D74-408B-A662-16E5D184E014@isc.org>
Content-Language: en-US
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
With some help from Ondřej setting up the test environment I found the
bug. It's unfortunately pretty bad, and I'm surprised it hasn't been
more of an issue. The bug applies when a the server uses the default
acceptor credential and no ccache with tickets is present in the
environment. The first of those criteria might be rarer than I would
have thought.
The bug is in spnego_mech.c:acc_ctx_new(), which was accidentally
changed to call get_negotiable_mechs() with GSS_C_INITIATE instead of
GSS_C_ACCEPT. When the default credential is used, this usage causes
mechs to be filtered by availability of initiator rather than acceptor
credentials. If there is a non-empty ccache in the environment (as is
almost always the case in krb5's automated tests), things work fine, but
if not, krb5 is erroneously filtered out.
I will speed through a patch release.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
