WebISO: the killer kerberos app?

Wyllys Ingersoll wyllys.ingersoll at sun.com
Mon Mar 8 13:53:10 EST 2004 

> 
> > One thing I dislike about webauth is that it is using raw KRB5 as
> > opposed to the more portable and extensible GSSAPI interface.  Why was
> > GSSAPI not chosen?
> 
> WebAuth only uses Kerberos v5 in one particular place, namely the
> bootstrap for an application server.  Note that any authentication
> protocol could be used here as far as the protocol is concerned; it's just
> a matter of writing code to handle it.  Certainly if someone saw the need
> for GSSAPI, it's easy to add that.

Writing new code is the barrier that will prevent it from going 
much beyond the experimental stage unless it is adopted by a mainstream
browser (mozilla) and web server (apache).  

> 
> For our application, there didn't seem to be any point in incurring the
> additional overhead (particularly in terms of network round trips) of
> GSSAPI.  But it's certainly a decision that can be revisited.
> 
> > Using raw KRB5 protocol means tying one to a particular Kerberos
> > implementation (MIT, Heimdal, Solaris, Microsoft).
> 
> Why do you say this?  That would indeed be an issue if true, but that
> isn't our experience elsewhere.  We've not tried specifically with WebAuth
> yet, however, at least so far as I know.
> 
> My impression is that Kerberos v5 is a standardized protocol and that
> compatibility bugs are considered exactly that and fixed.  Am I being
> naive about that?

The protocol is standard, but the programming APIs are not.  A site 
with MIT libraries will not be able to run apps that compiled against
Heimdal libraries, for example.  GSSAPI is a standardized programming
API, code that is properly written will generally compile cleanly
against MIT, Heimdal, and Solaris GSSAPI libraries without modifying
with the code.   Different library directives are needed at link-time,
but the code itself is portable.  Writing to the raw Kerberos API
of one implementation binds the app to that particular implementation.

> 
> > GSSAPI is a standard interface and is thus more portable across
> > platforms and does not restrict a site to only using one Kerberos
> > implementation.  It also does not restrict one to using Kerberos as the
> > secure authentication protocol.
> 
> Note that neither does WebAuth, and the choice of Kerberos v5 for that
> phase of the protocol does not restrict any more than the choice of GSSAPI
> would.  Either way, in order to add another authentication mechanism you
> have to write more code, and either way the protocol can handle the
> situation once you've written more code.  So I think this is a red
> herring.

Not really.  With a  pluggable GSSAPI library (Solaris, for example),
one does not have to write new code or recompile to add new GSSAPI
mechanisms.  Configuring the GSSAPI security mechanisms is done outside
of the code as long as the code uses just the standardized GSSAPI
interfaces.

> 
> > What about projects that just add support for new authentication methods
> > like the "Auth Negotiate" scheme that Microsoft uses?  Work is being
> > done by the Mozilla project to support Kerberos auth via GSSAPI in a
> > compatible manner:  http://bugzilla.mozilla.org/show_bug.cgi?id=17578
> 
> I believe that all of us who are working on cookie-based hacks to
> authenticate web access would be delighted if client-side support of
> Kerberos made all of our work obsolete.  From past experience with other
> protocols like e-mail, we're just not holding our breath.

Microsoft already supports it, and they have +90% of the client market,
right?  Getting Mozilla to support it will help alot for Unix/Linux 
users.  You will probably never see 100% coverage of this feature,
but getting the most popular Open-Source browser to support the same
SSO solution that Windows users have, will solve most of the problem,
even if its not the ideal solution.

> 
> Having a protocol in place is one thing.  Having a random PC be able to
> authenticate to web pages without installing additional software is quite
> another.

Agreed.  However, the systems need to already have Kerberos
software installed and configured in order to even consider using 
browser SSO, so there is already a prerequisite for additional software
configuration before you even get to the client.

-Wyllys


-- 
Wyllys Ingersoll <wyllys.ingersoll at sun.com>

More information about the Kerberos mailing list