Please Review Changes to Windows Exports List for krb5 1.2.5 in KfW 2.2
jaltman at columbia.edu
Mon Apr 15 16:50:01 EDT 2002
What I really want from this API is the realm of the TGT that I must
use in order to be able to authenticate to the specified host. For me
this is not a question of the host belonging to more than one realm,
but for the client to be able to determine which credentials they
require in order to have a shot at succeeding.
It does me no good to have a valid TGT for CC.COLUMBIA.EDU if I can't
use it to cross realm to ATHENA.MIT.EDU when I want to log into
athena.dialup.mit.edu and require a service ticket for
host/athena.dialup.mit.edu at ATHENA.MIT.EDU.
I know that this is not what the API does as the moment. But this is
what I really want from it.
> "Danilo Almeida" <dalmeida at MIT.EDU> writes:
> > Jeffrey Altman reported that Kermit 95 uses krb5_free_host_realm() and
> > krb5_get_host_realm() and that removing these functions from the Windows
> > exports list would be very problematic for Kermit 95.
> > Sam Hartman and Danilo Almeida asked other developers whether there was
> > a good reason to pull these functions out.
> We're a bit schizophrenic on the "host's realm" issue. This interface
> supports the notion of a host being "in" multiple realms. Other
> interfaces we have do not. We need to figure out which way it goes,
> and fix the API to be consistent.
> If we really need to have these functions available right now, we
> could change get_host_realm later to always return a single realm and
> then document that as a backwards-compatible update to the API, *if*
> we decide that's the approach to take. If we go with multiple realms
> for a host, then I expect we have several other parts of the API that
> need updating.
> That's not a decisions to be made based on the most convenient way to
> change the API; it's a Kerberos protocol and administration design
> issue. Probably it should be taken up on the Kerberos working group
> krbdev mailing list krbdev at mit.edu
Jeffrey Altman * Sr.Software Designer Kermit 95 1.1.21 available now!!!
The Kermit Project @ Columbia University SSH plus Telnet, FTP and HTTP
http://www.kermit-project.org/ secured with Kerberos, SRP, and
kermit-support at columbia.edu OpenSSL.
More information about the krbdev