advice on kerberizing products
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed Apr 23 15:23:37 EDT 2008
>After doing some research on my own, I now have lots of questions.
>I have a simple implementation that uses sendauth and recvauth
>as a starting point. It works on my setup, but when I try it in a
>Heimdal environment I get some expected results:
>[...]
You've discovered an unfortunate truth - it's difficult to ship a
third-party application that links against Kerberos libraries and
expect it to be portable. And since the Heimdal and MIT Kerberos
libraries aren't API compatible, you either have to pick one or the
other, or port to both (in my experience, porting to both isn't hard,
it's just annoying).
More and more operating systems are shipping with Kerberos libraries, but
they're not universal just yet. I can only offer suggestions based on what
I have seen other vendors do in your position:
1) Dynamically load all Kerberos functions at runtime with dlopen() or
the equivalent.
2) Encapsulate all of your Kerberos functionality into an open-source
module or program and have your customers compile that particular bit
themselves.
3) Include with your product a complete copy of whatever Kerberos
implementation you prefer.
>From the customer's perspective, 1) is easier. 2) is easier for you,
as it pushes some of the issues back onto the customer, but it might
present some interesting support challenges. I don't recommend 3); I'm
only including it for the sake of completeness.
--Ken
More information about the Kerberos
mailing list