advice on kerberizing products

Jeffrey Altman jaltman at secure-endpoints.com
Wed Apr 23 22:49:36 EDT 2008


Kristen J. Webb wrote:
> Hi Simon,
>
> My current concern with the GSSAPI approach is that
> I do not understand how tightly bound it is
> with Kerberos yet (or vice-versa).  Is it possible
> that I may run into situations where Kerberos
> is used w/o access to gssapi libraries?
>
 From my perspective the win with GSSAPI is that not only do
you obtain a higher degree of platform portability with GSSAPI
than you do with Kerberos v5 APIs, but you also obtain a high
degree of protocol interoperability.

If you restrict yourself to GSSAPI you are able to write services
for UNIX that can communicate with Windows Kerberos SSP
based clients; or Windows Kerberos SSP based services that
communicate with UNIX GSSAPI clients.

In addition, not all of the major UNIX operating systems
expose Kerberos APIs.  The biggest one is Solaris which provides
GSSAPI and no Kerberos v5.

Another reason for avoiding the direct Kerberos v5 APIs
is that it is not simply a MIT vs Heimdal world.  The GNU
implementation is different and even in the MIT derived  family
of implementations there are differences.  Sun has modified
a number of interfaces that make direct compilation against
their headers (if they were available) an additional level of
complexity.

Ken H. is correct that if all you want to do is use Kerberos v5
and you know that is what you need, it is much easier to add
Kerberos v5 authentication by coding to one of the implementations.
It is only when the added complexity of dealing with all of the
incompatible APIs that you are left wondering if the long term
support costs are worth the short term gain in ease of implementation.

Regardless of which method you decide to follow I believe that
dynamically selecting the library to load at runtime has major
benefits for an application provider.  Doing so permits you to
work with a variety of implementations based upon the choices
of the local system administrator and not be dependent upon
the choices of the operating system packager.

I too would avoid SASL unless you absolutely need it because
the protocol you are implementing specifies it.

Jeffrey Altman


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080423/5361a6e9/attachment.bin


More information about the Kerberos mailing list