On Fri, Feb 24, 2023 at 12:19:53PM -0800, Russ Allbery wrote: > Nico Williams <[email protected]> writes: > > If you're just trying to set up a GSS context between a client and a > > server, then GSS is really simple, and much simpler than the krb5 API. > > I'm very dubious about this statement. The requirement to handle > negotiation and potential multiple round trips and all the complexity with > major and minor status codes makes the equivalent GSS code complicated and > annoying.
If you're using SPNEGO then you don't have to concern yourself with negotiation. If you're implementing SSHv2 or SASL it's another story, though not much more complicated because you're doing negotiation at a layer that already does it and all you have to do is maybe pick a GSS mechanism. RFC 7546 exists. I've written a fair amount of app code using krb5 and GSS APIs, and I strongly prefer GSS code. > GSS pays a significant price for being a generic mechanism with a > negotiation method, and the API does not hide that price from the > programmer. It does pay a price, but if all you need is encrypted sessions, then it's simple. GSS does have some ugly things, mainly OIDs, but also not having something like a krb5_context. Regarding not having a krb5_context, I've played with a couple of ways to fix that in Heimdal: either a) enhancing the `OM_uint32 *minor_status` to be a more complex, opaque object, or b) adding configuration key/value parameters to the `cred_store` used in `gss_acquire_cred_from()`. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
