Please Review Changes to Windows Exports List for krb5 1.2.5 in KfW 2.2

Jeffrey Altman jaltman at columbia.edu
Mon Apr 15 16:50:01 EDT 2002 

What I really want from this API is the realm of the TGT that I must
use in order to be able to authenticate to the specified host.  For me
this is not a question of the host belonging to more than one realm,
but for the client to be able to determine which credentials they
require in order to have a shot at succeeding.

It does me no good to have a valid TGT for CC.COLUMBIA.EDU if I can't
use it to cross realm to ATHENA.MIT.EDU when I want to log into
athena.dialup.mit.edu and require a service ticket for
host/athena.dialup.mit.edu at ATHENA.MIT.EDU. 

I know that this is not what the API does as the moment.  But this is
what I really want from it.

- Jeff



> "Danilo Almeida" <dalmeida at MIT.EDU> writes:
> > Jeffrey Altman reported that Kermit 95 uses krb5_free_host_realm() and
> > krb5_get_host_realm() and that removing these functions from the Windows
> > exports list would be very problematic for Kermit 95.
> > 
> > Sam Hartman and Danilo Almeida asked other developers whether there was
> > a good reason to pull these functions out.
> 
> We're a bit schizophrenic on the "host's realm" issue.  This interface
> supports the notion of a host being "in" multiple realms.  Other
> interfaces we have do not.  We need to figure out which way it goes,
> and fix the API to be consistent.
> 
> If we really need to have these functions available right now, we
> could change get_host_realm later to always return a single realm and
> then document that as a backwards-compatible update to the API, *if*
> we decide that's the approach to take.  If we go with multiple realms
> for a host, then I expect we have several other parts of the API that
> need updating.
> 
> That's not a decisions to be made based on the most convenient way to
> change the API; it's a Kerberos protocol and administration design
> issue.  Probably it should be taken up on the Kerberos working group
> list.
> 
> Ken
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/krbdev
> 



 Jeffrey Altman * Sr.Software Designer      Kermit 95 1.1.21  available now!!!
 The Kermit Project @ Columbia University   SSH plus Telnet, FTP and HTTP
 http://www.kermit-project.org/             secured with Kerberos, SRP, and 
 kermit-support at columbia.edu                OpenSSL.

More information about the krbdev mailing list