@ character in username
Booker C. Bense
bbense at stanford.edu
Tue May 15 20:18:48 EDT 2007
>
> On May 15, 2007, at 12:04 PM, Russ Allbery wrote:
>
>> Booker C Bense <bbense at stanford.edu> writes:
>>
>>> Kerberos code has changed a lot since 1993, but I suspect there are
>>> still bugs lurking in dealing with these kinds of things. If
>>> there is
>>> anything you can do to avoid using these kinds of principals I would
>>> highly recommend doing so.
>>
>> Hm, we're likely to start deploying users of this type in a
>> separate realm
>> for our guest authentication project. Does anyone have more recent
>> experience specifically with the K5 code? It looked to me from
>> reading
>> the code that it should work fine provided that the @ was always
>> escaped
>> whenever it was entered in text form.
>
> I think the key words here are "the @ was always escaped". Just like
> "lower case realms should not be a problem" and we both know how
> well that one worked out.
>
> If it was me, I would think really hard about this and try and map
> the guest accounts to things like
>
> user/foo.remote.com
>
> rather than
>
> user\@foo.remote.com
>
> Either way you're going to put a lot of work into wrapping and
> dealing with the primcipal. There is some chance 3rd party software
> will properly deal with the first and very little that it will get
> the second right. If you can control every piece of software that
> might touch the principal, you can probably get away with the do
> the latter. We eventually had code that dealt with things like this
"Dr. John Austin"@some.where.foo at EPRI.COM
I've no idea whether Cygnus ever bothered to feed it back upstream or
not.
_ Booker C. Bense
More information about the Kerberos
mailing list