advice on kerberizing products

Ken Hornstein kenh at
Wed Apr 23 15:23:37 EDT 2008

>After doing some research on my own, I now have lots of questions.
>I have a simple implementation that uses sendauth and recvauth
>as a starting point.  It works on my setup, but when I try it in a
>Heimdal environment I get some expected results:

You've discovered an unfortunate truth - it's difficult to ship a
third-party application that links against Kerberos libraries and
expect it to be portable.  And since the Heimdal and MIT Kerberos
libraries aren't API compatible, you either have to pick one or the
other, or port to both (in my experience, porting to both isn't hard,
it's just annoying).

More and more operating systems are shipping with Kerberos libraries, but
they're not universal just yet.  I can only offer suggestions based on what
I have seen other vendors do in your position:

1) Dynamically load all Kerberos functions at runtime with dlopen() or
   the equivalent.

2) Encapsulate all of your Kerberos functionality into an open-source
   module or program and have your customers compile that particular bit

3) Include with your product a complete copy of whatever Kerberos
   implementation you prefer.

>From the customer's perspective, 1) is easier.  2) is easier for you,
as it pushes some of the issues back onto the customer, but it might
present some interesting support challenges.  I don't recommend 3); I'm
only including it for the sake of completeness.


More information about the Kerberos mailing list