advice on kerberizing products

Kristen J. Webb kwebb at
Wed Apr 23 18:12:18 EDT 2008

Hi Simon,

My current concern with the GSSAPI approach is that
I do not understand how tightly bound it is
with Kerberos yet (or vice-versa).  Is it possible
that I may run into situations where Kerberos
is used w/o access to gssapi libraries?

If so, would I be back to Ken's option 3 with GSSAPI?

BTW: Thanks to everyone for your feedback so far!

Simon Wilkinson wrote:
> On 23 Apr 2008, at 20:23, Ken Hornstein wrote:
>> 1) Dynamically load all Kerberos functions at runtime with dlopen() or
>>    the equivalent.
>> 2) Encapsulate all of your Kerberos functionality into an open-source
>>    module or program and have your customers compile that  
>> particular bit
>>    themselves.
>> 3) Include with your product a complete copy of whatever Kerberos
>>    implementation you prefer.
> 4) Use GSSAPI
> If you only need the functionality that the GSSAPI interface  
> provides, then using it can be far more portable than native Kerberos  
> calls. For example, Mozilla ships precompiled binaries for both  
> Firefox and Thunderbird which work with any vendor's GSSAPI libarary.
> S.
> ________________________________________________
> Kerberos mailing list           Kerberos at

Mr. Kristen J. Webb
Teradactyl LLC.

PHONE: 1-505-242-1091
EMAIL: kwebb at

  	Home of the

  True incremental Backup System
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5363 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the Kerberos mailing list