Credentials for an arbitrary user.
Douglas E. Engert
deengert at anl.gov
Tue Feb 3 15:12:17 EST 2004
Sam Hartman wrote:
>
> >>>>> "Wyllys" == Wyllys Ingersoll <wyllys.ingersoll at sun.com> writes:
>
> Wyllys> Depending on where you put this code, you are likely
> Wyllys> violating the abstraction layer that GSSAPI was designed
> Wyllys> to provide. An application that calls GSSAPI should never
> Wyllys> call an mechanism-specific API.
>
> That's one use of GSSAPI. It seems reasonable to me to use GSSAPI in
> a mechanism-specific manner because it is easier to use or because you
> like what it does better than native mechanism specific APIs.
> Realizing this was reasonable took a long time for me and many members
> of the Kerberos community may still disagree with this.
I don't totally disagree. But when there are certain functions that are
commonly used and used by more then one GSS inmplementaiton, then there
should be some thought to extending the GSS API to cover these common cases.
The ability to specify the credential used by gss_acquire_cred
might be one of these.
The ability to export a credential is the one that I am always running
into. a gss_export_cred would be a way to do this. (I have one that
works with krb5-1.3.2, and follows the GGF draft.)
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list