advice on kerberizing products

Tim Alsop Tim.Alsop at CyberSafe.Com
Wed Apr 23 15:49:52 EDT 2008


Ken wrote:

> You've discovered an unfortunate truth - it's difficult to ship a
> third-party application that links against Kerberos libraries and
> expect it to be portable.  And since the Heimdal and MIT Kerberos
> libraries aren't API compatible, you either have to pick one or the
> other, or port to both (in my experience, porting to both isn't hard,
> it's just annoying).

It is also worth mentioning that GSS-API is closer to being portable
than
native Kerberos APIs, and you should use GSS as much as possible to
avoid
some interoperability issues. It also makes your coding a lot easier.

> More and more operating systems are shipping with Kerberos libraries,
but
> they're not universal just yet.  I can only offer suggestions based on
what
> I have seen other vendors do in your position:

> 1) Dynamically load all Kerberos functions at runtime with dlopen() or
>    the equivalent.

> 2) Encapsulate all of your Kerberos functionality into an open-source
>    module or program and have your customers compile that particular
bit
>    themselves.

> 3) Include with your product a complete copy of whatever Kerberos
>    implementation you prefer.

4) Since your company is developing and selling commercial products to 
   customers and providing support service that the customer expects for
   such products, perhaps you could partner with a vendor who provides 
   a cross platform Kerberos implementation, so you get a consistent and
   supported solution, for any operating system your product may run on.

   Also, your customers get a complete solution that is fully supported 
   by yourself and the partner company. I represent one such company, 
   namely "CyberSafe". 

> From the customer's perspective, 1) is easier.  2) is easier for you,
> as it pushes some of the issues back onto the customer, but it might
> present some interesting support challenges.  I don't recommend 3);
I'm
> only including it for the sake of completeness.

I don't recommend option 3 either, but there are companies that have
chosen this 
path, e.g. Oracle. Instead, I recommend you look at option 4.

Thanks,
Tim





More information about the Kerberos mailing list