git.ipfire.org Git - thirdparty/krb5.git/commit

author	Greg Hudson <ghudson@mit.edu>
	Mon, 13 Jul 2015 21:06:29 +0000 (17:06 -0400)
committer	Greg Hudson <ghudson@mit.edu>
	Sat, 18 Jul 2015 03:28:39 +0000 (23:28 -0400)
commit	7fd55f171e4f0bdcdfe70a912dfa6b6be92b1479
tree	5ff7433b7aba4cb47b713c9b2694f5ab6fd4f8f4	tree
parent	90544415b37e4755daf9c2c548532e1ebbcbd7a9	commit \| diff

Limit use of deprecated krb5 mech OIDs

Filter out mechs with the GSS_C_MA_DEPRECATED attribute from the set
of mechanisms obtained by SPNEGO, and from the set used when
gss_acquire_cred() is called with no desired_mechs attribute.

SPNEGO acceptors will still accept the old and wrong krb5 OIDs, but
SPNEGO initiators will not offer them. According to [MS-SPNG], only
Windows 2000 does not recognize the standard krb5 OID, and it is
client-only.

In gss-client.c, use the standard krb5 OID for the -krb5 option, as
acceptors who call gss_acquire_cred() with no desired_mechs to create
an acceptor cred will no longer accept the old or wrong krb5 OIDs.

ticket: 8217 (new)

src/appl/gss-sample/gss-client.c		diff \| blob \| blame \| history
src/lib/gssapi/mechglue/g_acquire_cred.c		diff \| blob \| blame \| history
src/lib/gssapi/spnego/spnego_mech.c		diff \| blob \| blame \| history