SEAM krb API

Jeffrey Altman jaltman2 at nyc.rr.com
Tue Apr 20 14:33:51 EDT 2004


Wyllys Ingersoll wrote:
> krb5_kuserok is sort of an abberation.  Its a weak attempt at
> an authorization interface.  Its very easy to write your own
> non-KRB5-API dependent version of krb5_kuserok using just GSSAPI calls
> and standard C library functions.
> 
> Obviously, you must assume some Kerberos knowledge in the gssapi
> app which is NOT a good thing, IMO, but it is certainly possible to
> write one that is not dependent on the KRB5 API and that will
> behave exactly like the one from the MIT code.

It also assumes that GSSAPI is how you access Kerberos 5 authentication
in all of your applications.  I'm wondering, what do you recommend for
sites still using the r-cmds and telnet besides "don't do that"?


More information about the Kerberos mailing list