updated gssapi diff
sxw at inf.ed.ac.uk
sxw at inf.ed.ac.uk
Mon Aug 11 20:36:53 EST 2003
On Sun, 10 Aug 2003, Frank Cusack wrote:
> On Sun, Aug 10, 2003 at 04:43:52PM +0200, Jakob Schlyter wrote:
> No gsskeyex? blah!
> No per-session ccache option? blah.
With the Heimdal codebase, krb5_cc_gen_new() should generate a session
specific ccache, the difference here is that you're not being given an
option not to.
> I can't say for sure whether or not gss_indicate_mechs() needs
> to be in the monitor, but I will note that you've changed this from
> Simon's implementation. Seems OK to me.
I changed this. indicate_mechs only needs to be in the monitor if
you're linking against a GSSAPI library that uses mechglue (or a similar
way of handling multiple GSSAPI mechanisms). It isn't required for vanilla
MIT Kerberos, or for Heimdal. Removing it reduces the amount of
priviledged code.
> session.c needs to test options.gss_cleanup_creds before unconditionally
> cleaning up, here:
Indeed. I take it this call is needed as well as the call that comes
through the fatal_add_cleanup() handler.
Cheers,
Simon
More information about the openssh-unix-dev
mailing list