Apps aquiring tickets (was Re: gssapi/openssh)

Ken Raeburn raeburn at MIT.EDU
Tue May 6 16:16:47 EDT 2003


greg at wind.enjellic.com (Dr. Greg Wettstein) writes:

> More problematically it would seem that such a utility will need to be
> specific not only to the OS but the operating environment as well.  At
> the very minimum there would need to be at least three graphical
> implementations and a generic text implementation.  The graphical
> environments would be Windows, X and Macintosh.

Don't forget PalmOS.  Oh wait, we don't have a port to that yet. :-(

>     To provide maximum
> utility there would also need to a version which could prompt in text
> mode over a tty device.

As far as I know it's not a big deal for the graphical environments,
but in tty mode, some means of negotiating access to the terminal.
The Kerberos code can't take input if some other thread is already
doing so.  This may argue for the "prompter callback" approach we're
using in limited form now.

> The problem may be somewhat easier since I anticipate most interest
> would be in a graphical version.  I usually have 6-10 different text
> mode displays open at any one time but I certainly don't have a
> problem running kinit if an application tells me that I have an
> outdated ticket.

Yeah, I suspect just letting the user run kinit when we don't have a
graphical UI would be adequate.

> It would seem that Java would be the language of choice for something
> like this, it at least makes the graphical issues less of a problem.
> Since 1.4.x also supports GSSAPI there is low-level support for
> Kerberos credential management in at least the IBM and SUN
> distributions.

As far as the MIT Kerberos library goes, I suspect we would want it
using IPC to some additional process that can do the graphical work.
Then if that program is written in Java, we don't have to worry as
much about the startup time for the runtime environment, linking
random C-based applications against Java code, stuff like that.  The
CCache API support for Mac and Windows has a good start in the right
direction, I think.

Ken


More information about the Kerberos mailing list