[20352] in Kerberos_V5_Development
Re: Use of kdc_send_hook with gss_init_sec_context
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Feb 4 13:35:14 2022
To: Isaac Boukris <iboukris@gmail.com>,
"krbdev@mit.edu Dev List"
<krbdev@mit.edu>,
Stefan Metzmacher <metze@samba.org>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <10f3f86c-ccc1-e122-4abb-1795faaa0647@mit.edu>
Date: Fri, 4 Feb 2022 13:34:15 -0500
MIME-Version: 1.0
In-Reply-To: <CAC-fF8RTnj57VPouKABeCZXxnarOE5Zg_4T9G_WvpOM7pxXiHA@mail.gmail.com>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 2/4/22 11:57 AM, Isaac Boukris wrote:
>>> Is there a way to use 'kdc_send_hook' with 'gss_init_sec_context'?
>>> If there isn't, can we add something like 'gsskrb5_set_krb5_context'?
I've floated this idea before, as a way to bridge libkrb5 functionality
(such as krb5_init_context_profile()) and GSS.
Nico dislikes the idea because he doesn't like anything that encourages
mechanism-specific code in GSS applications. He tends to favor name
attributes as the extension point when possible.
Sam has raised a more specific objection: if the context set by
gsskrb5_set_krb5_context() is per-thread (which is the easiest way to
get around contexts not being thread-safe), then it could be a source of
subtle bugs if someone creates a GSS object in one thread and gets
different behavior when they use it in another thread.
I don't totally understand your use case. If I read correctly, the
platform (wasm) requires the use of websockets rather than TCP or UDP.
So what code would register the send hook and GSS context? Does every
application have to be modified in order to work with the platform?
That doesn't seem like a good long-term design compared to solving the
problem within libkrb5.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
