credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case
Simo
simo at samba.org
Mon Mar 6 15:28:54 UTC 2017
On Mon, 2017-03-06 at 15:19 +0100, Stefan Metzmacher wrote:
> Hi Simo,
>
> > > Yes, and that's exactly what I want. We should do such things
> > > explicit
> > > in order to avoid unexpected magic depending on the used kerberos
> > > library.
> >
> > Can you explain what magic you refer to ?
> > What's your goal here ? Keep in mind that in MIT kerberos
> > gss_krb5_import_cred() is implemented by calling the acquire_cred
> > paths
> > internally anyway, so the solution for any "magic" is likely the
> > same
> > in either case.
>
> See https://bugzilla.samba.org/show_bug.cgi?id=12480, we need to
> pass an explicit krb5_ccache in order to avoid the ccselect
> magic, which is a security risk in our code. Therefore we need
> to call krb5_cc_resolve() ourself. As we don't want the
> library to choose any random ccache! Even if we want to use
> the default cache for one cli_credential struct, it doesn't
> mean we will only ever have one cli_credential in the current
> process.
For memory ccaches this should not be a problem with
gss_acquire_cred_from() as you would pass a store element like:
{
.key = "ccache",
.value = "MEMORY:cliconnect",
}
therefore selecting a specific ccache to use.
Simo.
More information about the samba-technical
mailing list