@ character in username

Booker C. Bense bbense at stanford.edu
Tue May 15 20:18:48 EDT 2007

> On May 15, 2007, at 12:04 PM, Russ Allbery wrote:
>> Booker C Bense <bbense at stanford.edu> writes:
>>> Kerberos code has changed a lot since 1993, but I suspect there are
>>> still bugs lurking in dealing with these kinds of things. If  
>>> there is
>>> anything you can do to avoid using these kinds of principals I would
>>> highly recommend doing so.
>> Hm, we're likely to start deploying users of this type in a  
>> separate realm
>> for our guest authentication project.  Does anyone have more recent
>> experience specifically with the K5 code?  It looked to me from  
>> reading
>> the code that it should work fine provided that the @ was always  
>> escaped
>> whenever it was entered in text form.
> I think the key words here are "the @ was always escaped". Just like
> "lower case realms should not be a problem" and we both know how  
> well that one worked out.
> If it was me, I would think really hard about this and try and map  
> the guest accounts to things like
> user/foo.remote.com
> rather than
> user\@foo.remote.com
> Either way you're going to put a lot of work into wrapping and  
> dealing with the primcipal. There is some chance 3rd party software  
> will properly deal with the first and very little that it will get  
> the second right. If you can control every piece of software that  
> might touch the principal, you can probably get away with the do  
> the latter. We eventually had code that dealt with things like this

"Dr. John Austin"@some.where.foo at EPRI.COM

I've no idea whether Cygnus ever bothered to feed it back upstream or  

_ Booker C. Bense 

More information about the Kerberos mailing list