Allow only the correct mechs #44
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implemented by aqcuiring creds only for allowed_mechs and by explicity adding spnego to the allowed_mechs set (while still restricting spengo only to the allowed mechanism as before).
If no explicit allowed mechanism is set in configuration just ask gssapi for a list of known mechanisms and use that. do not try to artificially acquire credentials as ultimatily all that does is just call gss_inidicate_mechs() internally. Do not store the result of gss_inidicate_mechs() on cfg->allowed_mechs as that would lead to a leak fiven cfg->allowed_mechs is considered allocated on a memory pool, while gss_inidate_mechs()s results are not. Signed-off-by: Simo Sorce <simo@redhat.com>
This was referenced Jun 16, 2015
Closed
Try each allowed mechanism explicitly in a loop including sourcing the server name per mechanism to insure the proper name type is used in the accept. Otherwise secondary mechanims will fail to work. Fixes gssapi#43 Signed-off-by: Simo Sorce <simo@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Properly restrict the mechanism we want to allow even if the client misuses the Negotiate key word to perform raw NTLM/Kerb/Whatever authentication instead of using SPNEGO.