advice on kerberizing products

Kristen J. Webb kwebb at teradactyl.com
Wed Apr 23 18:12:18 EDT 2008


Hi Simon,

My current concern with the GSSAPI approach is that
I do not understand how tightly bound it is
with Kerberos yet (or vice-versa).  Is it possible
that I may run into situations where Kerberos
is used w/o access to gssapi libraries?

If so, would I be back to Ken's option 3 with GSSAPI?

BTW: Thanks to everyone for your feedback so far!
K

Simon Wilkinson wrote:
> On 23 Apr 2008, at 20:23, Ken Hornstein wrote:
>> 1) Dynamically load all Kerberos functions at runtime with dlopen() or
>>    the equivalent.
>>
>> 2) Encapsulate all of your Kerberos functionality into an open-source
>>    module or program and have your customers compile that  
>> particular bit
>>    themselves.
>>
>> 3) Include with your product a complete copy of whatever Kerberos
>>    implementation you prefer.
> 
> 4) Use GSSAPI
> 
> If you only need the functionality that the GSSAPI interface  
> provides, then using it can be far more portable than native Kerberos  
> calls. For example, Mozilla ships precompiled binaries for both  
> Firefox and Thunderbird which work with any vendor's GSSAPI libarary.
> 
> S.
>   
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 
Mr. Kristen J. Webb
Teradactyl LLC.

PHONE: 1-505-242-1091
EMAIL: kwebb at teradactyl.com
VISIT: http://www.teradactyl.com

  	Home of the

  True incremental Backup System
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5363 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080423/a8c4bc41/attachment.bin


More information about the Kerberos mailing list