RFR 6722928: Support SSPI as a native GSS-API provider
Nico Williams
Nico.Williams at twosigma.com
Mon Jun 3 16:25:30 UTC 2019
On Sat, Jun 01, 2019 at 07:43:42AM +0800, Weijun Wang wrote:
> >> This is for export(), where they use
> >> "WELLKNOWN:ORG.H5L.REFERALS-REALM" but I hesitate to introduce it.
> >
> > Heimdal defines that, but doesn't use it. MIT doesn't even define
> > it.
>
> I thought I saw it with MIT but maybe I got the library setting wrong.
> Anyway, using macOS's builtin krb5 (is that a Heimdal fork?), export()
OS X's Kerberos implementation is a Heimdal fork, yes.
> returns
>
> 0000: 04 01 00 0B 06 09 2A 86 48 86 F7 12 01 02 02 00 ......*.H.......
> 0010: 00 00 31 73 65 72 76 69 63 65 2F 68 6F 73 74 2E ..1service/host.
> 0020: 6B 33 78 40 57 45 4C 4C 4B 4E 4F 57 4E 3A 4F 52 k3x at WELLKNOWN:OR
> 0030: 47 2E 48 35 4C 2E 52 45 46 45 52 41 4C 53 2D 52 G.H5L.REFERALS-R
> 0040: 45 41 4C 4D EALM
Oh, interesting. I'll bring up with the other Heimdal maintainers, and
MIT as well. I don't see why an empty realm wouldn't work here, and
there's no realistic need to interop with OS X as to exported name
tokens for non-canonical MNs, but it is supposed to be possible to do
so... Of course, for canonical MNs from inquiring an established
security context, there would be no "referrals realm", so all
implementations would interop as to exported name tokens for those.o
Nico
--
More information about the security-dev
mailing list