On Aug 12, 2008, at 2:44 AM, Jason Gunthorpe wrote:
This is how the SPNEGO works in libapache-mod-auth-kerb-5.3 which simply passes SPNEGO packets directly to gssapi if the library is new enough. There is even a configure feature test for the gssapi library in that packages configure script. Note that Debian etch's standard kerb libaries (1.4) are not good enough for this.
Any thoughts on how exactly to detect that it's MIT kerberos (not Heimdal) and the version is new enough?
(although don't the gssapi calls block??)
Yes, but it was cleverly hidden so I hadn't thought about it before ;) So yes, I suppose some day GSSAPI calls should be done in auth worker processes.
PGP.sig
Description: This is a digitally signed message part
