curl-library
Re: PATCH: Curl Sanity patch for spnego authentication
Date: Tue, 1 Oct 2013 21:48:20 +0100
Hi Daniel,
Sorry if I may add more confusion, but the right way to do it with the
newer Kerberos libraries is to use a flag with curl (e.g. --spnego) and set
the mech type to the right value in curl_gssapi.c
#ifndef HAVE_SPENGO_MECH
/* gss_mech_spnego might already be defined extern should be checked during
configure*/
static gss_OID_desc _gss_mech_spnego =
{ 6, (void *) "\x2b\x06\x01\x05\x05\x02" };
gss_OID gss_mech_spnego = &_gss_mech_spnego;
#endif
if (spnego)
mech = gss_mech_spnego
else
mech = GSS_C_NO_OID
return gss_init_sec_context(minor_status,
GSS_C_NO_CREDENTIAL, /* cred_handle */
context,
target_name,
mech, /* mech_type */
req_flags,
0, /* time_req */
input_chan_bindings,
input_token,
NULL, /* actual_mech_type */
output_token,
ret_flags,
NULL /* time_rec */);
I still wonder why the server Arunav uses only accepts spnego as most accept
either gssapi or spengo tokens.
Regards
Markus
-----Original Message-----
From: Daniel Stenberg
Sent: Monday, September 30, 2013 7:30 AM Newsgroups:
gmane.comp.web.curl.library
To: libcurl development
Cc: Arunav Sanyal ; Markus Moeller
Subject: RE: PATCH: Curl Sanity patch for spnego authentication
On Wed, 25 Sep 2013, Arunav Sanyal wrote:
> I use MIT Kebreros 1.11. And I can assure you the library does not handle
> SPNEGO token conversion explicitly. Even when I specify different OID.
>
> If you have your own server implementation which directly handles gssapi
> tokens, fbopenssl is no longer required. My use case is curl trying to
> authenticate with Tomcat 7.40.0 which expects SPNEGO token.
Hello Arunav, Kevin, Markus and the rest!
As I'm a GSS rookie and a SPNEGO cluebie, you need to help me out a little
bit
more here!
This discussion is certainly useful and something that benefits us all, but
I
have a very hard time to figure out which conclusions to draw and how to
proceed here. Can I get your help please?
Can we start with Arunav's specific patch[1] for SPNEGO that I
questioned[2],
he said he agreed to my doubts[3] and yet he seems to say the fixes are
fine.
I can't make sense of that and I don't fully grasp how SPNEGO works in
combination with the GSS stuff. Can't you have both enabled in a single
libcurl build?
I would really like an opinion and help on this from someone else who knows
more about this area than I do! Is the patch fine to merge? If not, what's
the
problem? If it is, won't a combined SPNEGO + GSS build crash and burn?
[1] = http://curl.haxx.se/mail/lib-2013-09/0095.html
[2] = http://curl.haxx.se/mail/lib-2013-09/0112.html
[3] = http://curl.haxx.se/mail/lib-2013-09/0115.html
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2013-10-01