[271] in Kerberos-V5-bugs
Re: gssapi/kerberos
tytso@ATHENA.MIT.EDU (tytso@ATHENA.MIT.EDU)
Thu Dec 17 20:59:32 1992
Date: 17 Dec 1992 11:36:35 U
From: "John Fletcher" <John_Fletcher@lccmail.ocf.llnl.gov>
I made up a test code that calls every one of the 19 gssapi procedures (as
There is a missing entry point, "error_message". The only reference
to it that I can find is in gssapi/dsp_status.c. What additional
library do I need?
That's in the com_err library; it needs to be linked in after -lkrb.
There are three missing gssapi routines: gss_delete_sec_context,
gss_process_context_token, and gss_context_time. Are these
intentionally not provided? If so, then does one just shrug off a
context for which there is no longer any interest without "cleaning
up", and how should one find out the context time?
No, they're unintentionally not provided. The current Kerberos
implementation doesn't send any context tokens, so
gss_process_context_token() can just be a NOP routine. Ditto for
gss_delete_sec_context for now, although it really should free the
appropriate memory structures. gss_context_time() also doesn't have
much meaning for Kerberos, since traditionally we have _not_ timed out
the context after the initial authentication. It is debateable whether
or not we should or not, though. For security reasons, it is definitely
useful; on the otherhand, people would be pretty annoyed if immediately
after your tickets timed out, your rlogin connection were to be
terminated without any warning. :-) So depending on which way you want
to go, gss_context_time() should either return infinity or the time
until the tickets expire. For a quick workaround, just have it return
infinity.
The workarounds that I'm giving you are assuming you want to kludge past
the missing routines so that you can link it against your application; I
will work on fixing these "correctly" in the next release.
- Ted
