RFR 6722928: Support SSPI as a native GSS-API provider
Weijun Wang
weijun.wang at oracle.com
Thu May 30 03:18:00 UTC 2019
Practically, if I always add the current realm to a name without a realm, and then always remove the realm if it's the current realm when calling InitiateSecurityContext, there should be no harm. If the realm was added by me, then removing it loses no info. If it was added by the user and it's the current realm, I hope when there is no realm InitiateSecurityContext will always try the local realm first.
In fact, as I have observed, even if I don't remove the current realm from a name, InitiateSecurityContext is still doing the correct thing. I think the reason is that service/host@ and service/host at CURRENT.REALM are the same in a KDC-REQ, and even if there is a realm it still sets CANONICALIZE and accepts referrals.
Here is the latest webrev
http://cr.openjdk.java.net/~weijun/6722928/webrev.07/
Comparing to the last version (you can see in the interdiff.patch):
1. Rename KRB5_TRACE to SSPI_TRACE and always write to stderr.
2. No more guessing realm in get_full_name().
3. Some cleanup.
You can see that since I haven't retain the name type, I translate service at host to service/host right at the importing, and treat any name as KRB5 name later on.
Thanks,
Max
> On May 30, 2019, at 1:23 AM, Nico Williams <Nico.Williams at twosigma.com> wrote:
>
> On Tue, May 28, 2019 at 08:55:22AM +0800, Weijun Wang wrote:
>> Do you have any new comments?
>
> I should take one more look.
>
>> My major concern now is the canonicalization of service/host.dev.example.com
>> to service/host.example.com at DEV.EXAMPLE.COM now. As Michael pointed out, it
>> could well be service/host.example.com at EXAMPLE.COM.
>>
>> My suggestion now is to strip the realm part when InitSecurityContext
>> is called. But when? If always, some information is lost if the realm
>> is provided by the caller. So, how about we add
>> "@WELLKNOWN:ORG.H5L.REFERALS-REALM" when it's a host-based service
>> name?
>
> If a name was imported as GSS_C_NT_HOSTBASED_SERVICE, then there is no
> realm. If it was imported as GSS_KRB5_NT_PRINCIPAL and there was no
> realm, then there is no realm. If it was imported as
> GSS_KRB5_NT_PRINCIPAL and there was a realm, then you should respect it
> -- I say "should" because some applications will set it incorrectly,
> notably the MSSQL JDBC driver.
>
> Now, as to SSPI, I don't know exactly how to tell it a realm to start at
> (this would be the client principal's realm in the general case) or to
> tell it to start at whatever realm Windows wants to (same thing), but
> that's what you want.
>
> Nico
> --
More information about the security-dev
mailing list