From 77cd6364fd13beb602fd36b472b4c1b8279e804d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Sat, 26 Apr 2003 09:21:50 +0000 Subject: [PATCH] more about difference between comparing IN and MN git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@12151 ec53bebd-3082-4978-b11e-865c3cabbd6b --- lib/gssapi/gss_acquire_cred.3 | 18 ++++++++++++++++++ lib/gssapi/krb5/gss_acquire_cred.3 | 18 ++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/lib/gssapi/gss_acquire_cred.3 b/lib/gssapi/gss_acquire_cred.3 index 637a0295c..6bc499014 100644 --- a/lib/gssapi/gss_acquire_cred.3 +++ b/lib/gssapi/gss_acquire_cred.3 @@ -479,6 +479,24 @@ name with and then compare with .Xr memcmp 3 . .Pp +Note that there are might be a difference between the two methods of +comparing names. +The first (using +.Fn gss_compare_name ) +will compare to (unauthenticated) names are the same. +The second will compare if a mechanism will authenticate them as the +same principal. +.Pp +For example, if +.Fn gss_import_name +name was used with +.Dv GSS_C_NO_OID +the default syntax is used for all mechanism the GSS-API +implementation supports. +When compare the imported name of +.Dv GSS_C_NO_OID +it may match serveral mechanism names (MN). +.Pp The resulting name from .Fn gss_display_name must not be used for acccess control. diff --git a/lib/gssapi/krb5/gss_acquire_cred.3 b/lib/gssapi/krb5/gss_acquire_cred.3 index 637a0295c..6bc499014 100644 --- a/lib/gssapi/krb5/gss_acquire_cred.3 +++ b/lib/gssapi/krb5/gss_acquire_cred.3 @@ -479,6 +479,24 @@ name with and then compare with .Xr memcmp 3 . .Pp +Note that there are might be a difference between the two methods of +comparing names. +The first (using +.Fn gss_compare_name ) +will compare to (unauthenticated) names are the same. +The second will compare if a mechanism will authenticate them as the +same principal. +.Pp +For example, if +.Fn gss_import_name +name was used with +.Dv GSS_C_NO_OID +the default syntax is used for all mechanism the GSS-API +implementation supports. +When compare the imported name of +.Dv GSS_C_NO_OID +it may match serveral mechanism names (MN). +.Pp The resulting name from .Fn gss_display_name must not be used for acccess control.