Hi Isaac, thanks for the reply On Tue, Jul 26, 2022 at 11:06 AM Isaac Boukris <[email protected]> wrote: > > Hi Andreas, > > On Mon, Jul 25, 2022 at 6:00 PM Andreas Hasenack <[email protected]> > wrote: > > > > Hello,
> That's exactly case[5] you refer to above, the answer is as in the > comment; it will be rejected with old MIT libs but not with newer ones > nor it will be rejected with heimdal. To get the client rejected you I was using MIT krb 1.19, I thought it was new enough :) > need that both client and server set bindings and that those bindings > don't match. Otherwise, to properly handle this case where the server > sets binding and not the client, the returned flags could be checked > for GSS_C_CHANNEL_BOUND_FLAG which was added in recent Heimdal/MIT > libs, see links below. I guess new server option could be added to > require CBT, implemented by checking this flag. Thanks for the explanation. > MIT and Heimdal related changes: > https://github.com/krb5/krb5/pull/1047 This was merged in 2020, but doesn't seem to be in any release yet, just in the master branch. This seems to be a trend with sasl gssapi channel binding patches ;) > https://github.com/heimdal/heimdal/pull/712 Merged in 2021, but also not in any release yet
