Bugzilla – Bug 1217
gss_export_name() does not conform to RFC 2743 section 3.2
Last modified: 2008-08-11 15:17:20
You need to
before you can comment on or make changes to this bug.
Section 3.2 of RFC 2743 specifies the mechanism-independent format for names
exported via gss_export_name(). Specifically, exported names must begin with
the two bytes 04 01 followed by a 2 byte mechanism OID length followed by the
mechanism OID in DER format. The GSI GSSAPI library does not conform to this
specification. Instead, it returns the output of X509_NAME_oneline(), i.e., an
ASCII subject string. OpenSSH 3.7 includes code to verify the format of the
name returned by gss_export_name() which fails for GSI GSSAPI authentication.
I had to add a work-around for this issue specifically for the GSI mechanism in
OpenSSH GSSAPI code which is otherwise mechanism-independent.
Are there plans to fix this bug? I want to try to get GSI support accepted
the main OpenSSH distribution, and I'd prefer not to need to include a
work-around for this bug in the patch I submit to the OpenSSH team.
I don't know to what extend external folks are relying on this function, but
this will be a substantial API change. I would vote that we fix it, but we need
to be sure to publishize it well and make sure there is a compile time test for
Created an attachment (id=437) [details]
patch tested successfully against gsi_openssh