[1459] in Kerberos-V5-bugs
default verifier_cred_handle unsupported
daemon@ATHENA.MIT.EDU (Dan Nessett)
Fri Jun 9 11:25:01 1995
Date: Fri, 9 Jun 1995 08:24:05 -0700
From: Danny.Nessett@Eng.Sun.COM (Dan Nessett)
To: krb5-bugs@MIT.EDU
After some discussion on the CAT-WG list, I am filing this as a bug. While this
may be controversial, I believe leaving the semantics as the now stand
both confuses and frustrates appications writers who use the GSS-API interface
to Kerb V5.
In RFC1509 in the section describing gss_accept_sec_context() concerning the
verifier_cred_handle it states :
verifier_cred_handle gss_cred_id_t, read, optional
Credential handle claimed by context acceptor.
Specify GSS_C_NO_CREDENTIAL to use default
credentials. If GSS_C_NO_CREDENTIAL is
specified, but the caller has no default
credentials established, an
implementation-defined default credential
may be used.
However, in the Kerberos V5 implementation of gss_accept_sec_context() there
is the following code :
/* validate the cred handle - no default */
if (verifier_cred_handle == GSS_C_NO_CREDENTIAL) {
*minor_status = 0;
return(GSS_S_NO_CRED);
If verifier_cred_handle == GSS_C_NO_CREDENTIAL, the implementation should
attempt to obtain the caller's default credentials. This should be based
on the uid of the process. If no default credentials exist for this user,
an implementation default should be used. One possibility is :
host/fully-qualified-domain-name@default-realm
Dan Nessett
