Kirill, Users of MIT GSSAPI, which does not support SPNEGO, need to implement code to add SPNEGO wrapping and remove SPNEGO wrapping to and from RFC 1964 Kerberos GSSAPI tokens.
One solution, and probably the best, is to implement gss_init_sec_context and gss_accept_sec_context that do this. Another solution, which one could argue is less disciplined, is to add SPNEGO wrapping after calling gss_init_sec_context and remove SPNEGO wrapping before calling gss_accept_sec_context. http://sourceforge.net/projects/modgssapache's modgssapache and mod_spnego use the latter solution, and fbopenssl contains code to add and remove SPNEGO wrapping using OpenSSL's ASN.1/DER engine. Frank Kirill Mendelev <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 01/19/2005 04:54 AM To: [email protected] cc: Subject: Re: Krb5 API vs. GSSAPI Hi, Speaking of mechanisms. I may sound silly, but I'm only beginning to dig into all this Kerberos/GSSAPI/SPNEGO/SPNEGO via HTTP stuff (lots of reading done, tons of material ahead). Still, I've built a couple of small programs, which use GSSAPI as provided by MIT distribution, and it seems that the mechanisms supported by default do not include SPNEGO 1.3.6.1.5.5.2. I'm using the gss_indicate_mechs to obtain available mechanisms, and I can't find it inside of the set returned. Do I miss something real important, or should I just go ahead and implement the SPNEGO mech by myself? Kirill Luke Howard wrote: >>Is that so? I've only ever seen Kerberos being carried out over GSSAPI. >>What others are there? > > > Here is a list that Martin Rex of SAP posted to the ietf-kitten mailing > list (to which I would add SPNEGO and NTLM): > > ietf mechanism: Company (Country) > > Kerberos 5 MIT, CyberSafe, CA/Platinum, Microsoft, heimdal > SPKM Entrust (CA), Shym (US), Baltimore (US) > > proprietary mechanisms: > > AM-DCE Bull (FR) > (propr.) Sagem (FR) > sdti,rsakeon,trustnet TFS-Tech (SE) former RSA/SDTI > safelayer Safelayer (SP) > NEC Secureware NEC (JP) > itsec UBS/ITsec (CH) > Adnovum GSSv2 UBS/Adnovum (CH) > ISign/secui Penta Security Systems (South Korea) > Sisler Siemens India (India) > cpro Mecomp (RU) > lissi Lissi (RU) > kobil Kobil GmbH (DE) > T-Secure secunet/Telekom (DE) > > -- Luke > > -- > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
