[20237] in Kerberos_V5_Development
Re: MIT Kerberos using invalid in-memory credential cache
daemon@ATHENA.MIT.EDU (Vipul Mehta)
Thu Jan 14 10:34:35 2021
MIME-Version: 1.0
In-Reply-To: <53442d70-28a1-a984-d52c-8f7f656b537e@mit.edu>
From: Vipul Mehta <vipulmehta.1989@gmail.com>
Date: Thu, 14 Jan 2021 19:07:10 +0530
Message-ID: <CAMeQEL885Zo3s+42JnJvLfsTKqGDMGVd=yMFi4utqMwa9aQFgw@mail.gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
What is logic used to find out default credential cache ?
If I specify KRB5 mech type with KRB5 gss credential, MIT Kerberos will
return krb5 token. Is there any way to convert this krb5 token into SPNEGO
token ?
We use tomcat server which accepts SPNEGO token only.
If i am able to obtain SPNEGO token using krb5 cred then i will also be
able to use this piece of code to enhance the curl library to work with
user specified krb5 gss credential that will be helpful for use cases in
which service needs to impersonate multiple authenticated users.
On Mon, Jan 11, 2021 at 10:33 PM Greg Hudson <ghudson@mit.edu> wrote:
> On 1/7/21 3:11 AM, Vipul Mehta wrote:
> > 1) How is default credential picked up when GSS_C_NO_CREDENTIAL is
> > specified in gss_init_sec_context() ? How is in-memory credential cache
> > used here ?
>
> The default ccache is used, which is generally not a memory credential
> cache. krb5_gss_init_sec_context_ext() calls kg_get_defcred() which
> calls krb5_gss_acquire_cred() with default arguments.
>
> > 2) If the GSS credential passed to gss_init_sec_context() does not
> > match the specified mechanism type then GSS_C_NO_CREDENTIAL is the
> > value returned from gssint_get_mechanism_cred(). Why it does not simply
> > fail here as client didn't pass matching oid and cred ?
>
> I'd call that a long-standing bug. The same was true for
> gss_accept_sec_context() until commit
> 79c34ed3d829ee9e3fa64aa5b3b90b4e37514cf7.
>
> > One more qus - How to create SPNEGO output token from
> gss_init_sec_context using krb5 gss credential ?
>
> You can't; you have to acquire a SPNEGO credential, which will acquire a
> krb5 credential internally (and possibly other mech credentials). You
> can use gss_set_neg_mechs() to determine which mechs can be negotiated
> with the SPNEGO credential.
>
> There have been proposed extensions to allow a mech credential to be
> used with SPNEGO, but none have been implemented in MIT krb5. One old
> proposal is a gss_acquire_cred_with_cred() function, which could allow
> an arbitrary cred to be turned into a SPNEGO cred. Another proposal,
> implemented recently in Heimdal, is to decide that as a negotiation
> mechanism, SPNEGO directly uses union creds and can be invoked with
> arbitrary claimant credentials.
>
--
Regards,
Vipul
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
