RFR 6722928: Support SSPI as a native GSS-API provider

Nico Williams Nico.Williams at twosigma.com
Wed May 29 17:23:54 UTC 2019


On Tue, May 28, 2019 at 08:55:22AM +0800, Weijun Wang wrote:
> Do you have any new comments?

I should take one more look.

> My major concern now is the canonicalization of service/host.dev.example.com
> to service/host.example.com at DEV.EXAMPLE.COM now. As Michael pointed out, it
> could well be service/host.example.com at EXAMPLE.COM.
> 
> My suggestion now is to strip the realm part when InitSecurityContext
> is called. But when? If always, some information is lost if the realm
> is provided by the caller. So, how about we add
> "@WELLKNOWN:ORG.H5L.REFERALS-REALM" when it's a host-based service
> name?

If a name was imported as GSS_C_NT_HOSTBASED_SERVICE, then there is no
realm.  If it was imported as GSS_KRB5_NT_PRINCIPAL and there was no
realm, then there is no realm.  If it was imported as
GSS_KRB5_NT_PRINCIPAL and there was a realm, then you should respect it
-- I say "should" because some applications will set it incorrectly,
notably the MSSQL JDBC driver.

Now, as to SSPI, I don't know exactly how to tell it a realm to start at
(this would be the client principal's realm in the general case) or to
tell it to start at whatever realm Windows wants to (same thing), but
that's what you want.

Nico
-- 



More information about the security-dev mailing list