[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GSS-SPNEGO Protocol Details

Volker Lendecke wrote:
On Mon, Jan 29, 2007 at 08:59:36PM -0800, Howard Chu wrote:
 1) GSS-SPNEGO search replies are sealed even though the request was
 not and a capture of another client talking to the same server shows
 replies as integ-only. A examination of the captures of my code and
 the other client shows the packets are identical (minus ber encoding
 differences and encrypted krb5 bits).
That would normally require the confidentiality flag to be set on the ContextFlags of the NegotiationToken.

This is one thing that I've got confused over recently as well. Just from coincidence I did pretty much the same Michael did last weekend and I discovered the same asymmetry. However I was told that a standard GSSAPI exchange always contains the conf and integ bits, at least MIT 1.5.1 does so. If I patch MIT to not set the bits (Samba4 also would let me do it), then I can get Windows to send signed-only replies. Maybe it's a Windows thing not following RFCs, but I wonder how I would tell a Server to send signed-only given that MIT krb always offers confidentiality.

When invoked from Cyrus SASL it will only offer confidentiality if the sasl-secprops are set with minssf > 1. Since you're talking about your own private SASL implementations obviously we can't tell.

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/