Host-realm pluggable interface scope questions
Greg Hudson
ghudson at MIT.EDU
Mon Jun 17 12:12:41 EDT 2013
We've been asked to make a pluggable interface for host-realm
translation, and I thought it might be helpful to discuss the
appropriate scope before getting into details.
Obviously krb5_get_host_realm() and krb5_get_fallback_host_realm() are
in scope. But:
* Should krb5_get_default_realm() be in scope? One can think of this as
a special case of krb5_get_host_realm(), and some of the same
mechanisms have historically applied (such as TXT lookups).
* Should hostname canonicalization be in scope? This is performed by
krb5_sname_to_principal(), not krb5_get_host_realm(), but
sname-to-principal is one of only two consumers of
krb5_get_host_realm().
* Should hostname "cleaning" be in scope? This is where we convert
hostnames to lower-case and strip off any trailing dot.
* Should plugin modules be able to return multiple answers for the host
realm? Our APIs currently allow this (for realm-of-host and
fallback-realm-of-host, not for default-realm) but we only ever
produce or consume one answer at the moment.
More information about the krbdev
mailing list