From 86a93da7e59aba48c8c9fef5de4114c74696eba1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Thu, 6 May 2004 15:57:10 +0000 Subject: [PATCH] spelling from Josef El-Rayes while here, write some text about the SPNEGO situation git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13837 ec53bebd-3082-4978-b11e-865c3cabbd6b --- lib/gssapi/gssapi.3 | 22 +++++++++++++++++----- lib/gssapi/krb5/gssapi.3 | 22 +++++++++++++++++----- 2 files changed, 34 insertions(+), 10 deletions(-) diff --git a/lib/gssapi/gssapi.3 b/lib/gssapi/gssapi.3 index f5aabf14d..6128c07f2 100644 --- a/lib/gssapi/gssapi.3 +++ b/lib/gssapi/gssapi.3 @@ -109,15 +109,15 @@ implementations when using .Fn gss_get_mic / .Fn gss_verify_mic . -Its possible to modify the behavior of the generator of the MIC with +It is possible to modify the behavior of the generator of the MIC with the .Pa krb5.conf configuration file so that old clients/servers will still work. .Pp New clients/servers will try both the old and new MIC in Heimdal 0.6. -In 0.7 it will check only if configured and the compatibility code -will be removed in 0.8. +In 0.7 it will check only if configured - the compatibility code will +be removed in 0.8. .Pp Heimdal 0.6 still generates by default the broken GSS-API DES3 mic, this will change in 0.7 to generate correct des3 mic. @@ -138,17 +138,29 @@ If a match for a entry is in both .Ar correct_des3_mic and .Nm [gssapi] -.Ar correct_des3_mic , +.Ar broken_des3_mic , the later will override. .Pp This config option modifies behaviour for both clients and servers. .Pp -Example: +Microsoft implemented SPNEGO to Windows2000, however, they manage to +get it wrong, their implementation didn't fill in the MechListMIC in +the reply token with the right content. +There is a work around for this problem, but not all implementation +support it. +.Pp +Heimdal defaults to correct SPNEGO when the the kerberos +implementation uses CFX, or when its configured by the user. +To turn on compatibility with peers, use option +.Nm [gssapi] +.Ar require_mechlist_mic . +.Sh EXAMPLES .Bd -literal -offset indent [gssapi] broken_des3_mic = cvs/*@SU.SE broken_des3_mic = host/*@E.KTH.SE correct_des3_mic = host/*@SU.SE + require_mechlist_mic = host/*@SU.SE .Ed .Sh BUGS All of 0.5.x versions of diff --git a/lib/gssapi/krb5/gssapi.3 b/lib/gssapi/krb5/gssapi.3 index f5aabf14d..6128c07f2 100644 --- a/lib/gssapi/krb5/gssapi.3 +++ b/lib/gssapi/krb5/gssapi.3 @@ -109,15 +109,15 @@ implementations when using .Fn gss_get_mic / .Fn gss_verify_mic . -Its possible to modify the behavior of the generator of the MIC with +It is possible to modify the behavior of the generator of the MIC with the .Pa krb5.conf configuration file so that old clients/servers will still work. .Pp New clients/servers will try both the old and new MIC in Heimdal 0.6. -In 0.7 it will check only if configured and the compatibility code -will be removed in 0.8. +In 0.7 it will check only if configured - the compatibility code will +be removed in 0.8. .Pp Heimdal 0.6 still generates by default the broken GSS-API DES3 mic, this will change in 0.7 to generate correct des3 mic. @@ -138,17 +138,29 @@ If a match for a entry is in both .Ar correct_des3_mic and .Nm [gssapi] -.Ar correct_des3_mic , +.Ar broken_des3_mic , the later will override. .Pp This config option modifies behaviour for both clients and servers. .Pp -Example: +Microsoft implemented SPNEGO to Windows2000, however, they manage to +get it wrong, their implementation didn't fill in the MechListMIC in +the reply token with the right content. +There is a work around for this problem, but not all implementation +support it. +.Pp +Heimdal defaults to correct SPNEGO when the the kerberos +implementation uses CFX, or when its configured by the user. +To turn on compatibility with peers, use option +.Nm [gssapi] +.Ar require_mechlist_mic . +.Sh EXAMPLES .Bd -literal -offset indent [gssapi] broken_des3_mic = cvs/*@SU.SE broken_des3_mic = host/*@E.KTH.SE correct_des3_mic = host/*@SU.SE + require_mechlist_mic = host/*@SU.SE .Ed .Sh BUGS All of 0.5.x versions of