SPNEGO initial patch

David Woodhouse dwmw2 at infradead.org
Tue Feb 17 09:06:10 PST 2015


On Tue, 2015-02-17 at 18:00 +0100, Nikos Mavrogiannopoulos wrote:
> 
>  That's a patch which adds support for SPNEGO authentication (i.e.,
> GSSAPI - kerberos) to openconnect. Currently it interoperates with
> ocserv's gssapi branch. I'm not sure whether re-using the proxy auth
> structures is the right thing (i.e., whether it wouldn't interfere
> with it).

Yeah, I think that's probably going to break for the case where you
authenticate to a proxy using GSSAPI, *and* authenticate to the VPN
server using GSSAPI too. You want a separate auth structure for the real
server.

I'd also much prefer this to not be GSSAPI-specific. The existing code
for proxy authentication already handles four auth methods without much
special-casing, and I'd prefer to see us handling all four for the VPN
connection too. It's not unlikely that we'll end up needing that with
the various crap that people seem to be putting in front of Juniper
login pages.

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150217/bd9c9034/attachment.bin>


More information about the openconnect-devel mailing list