SEAM krb API

Wyllys Ingersoll wyllys.ingersoll at sun.com
Tue Apr 20 13:58:31 EDT 2004 

Ken Hornstein wrote:

>>We have not found alot of customers that really need direct access to 
>>the KRB5 APIs.   Usually showing them how to use PAM or GSSAPI is sufficient.
>>    
>>
>
>Hm.  I have never actually seen a GSSAPI server program that didn't
>also require calls to the krb5 API as well (we make heavy use of
>cross-realm, so we always need to call krb5_kuserok(), and then there
>is the whole credential cache management issue as well).  I admit that
>  
>

krb5_kuserok is sort of an abberation.  Its a weak attempt at
an authorization interface.  Its very easy to write your own
non-KRB5-API dependent version of krb5_kuserok using just GSSAPI calls
and standard C library functions.

Obviously, you must assume some Kerberos knowledge in the gssapi
app which is NOT a good thing, IMO, but it is certainly possible to
write one that is not dependent on the KRB5 API and that will
behave exactly like the one from the MIT code.

Pseudo-code:
   IF mech OID == KRB5
        call gss_display_name
        parse display name to get username part
        call getpwname (or similar) to get local acct mapping info.
        do local authorization checking based on local user info...
   END

>on the client, it's usually not necessary.  I suppose that it might be
>possible to possibly use PAM in place of krb5_kuserok() (I am not sure
>this is true, but let's pretend that it is), but considering that PAM
>has relatively poor OS coverage I'd have to maintain two sets of code
>(one PAM, one krb5 API).  For me, the added headache of supporting two
>sets of code isn't worth transitioning to a vendor-supplied Kerberos;
>it's easier for me to just use the one I compile.
>  
>

Yeah - if you are writing code thats gotta be portable to multiple
platforms, then SEAM may not be the answer for you unless you stick
with GSSAPI.

>For example, I was trying to help someone once who was trying to get
>Simon Wilkinson's GSSAPI patch for SSH going with Solaris & SEAM, and
>he ran into the problem that Solaris didn't export the krb5 API.  He
>asked what I did, and I had to tell him that I didn't use SEAM, and
>that I advised him to do the same thing that I did (use the MIT
>library).
>  
>
Talk to Nico about how he added GSSAPI to SSH for Solaris... 
I think he looked into Simon's code and then went a different way
for various reasons.

-Wyllys

More information about the Kerberos mailing list