KfM 4.0b7: a few questions

Ken Hornstein kenh at cmf.nrl.navy.mil
Thu Jan 31 01:14:00 EST 2002 

>It's not really designing a preference here, it's designing a policy 
>system. That is an incredibly complex engineering task that when 
>confronted with the multitude of other requests, always gets bumped 
>off the list.

My personal thoughs are that this is overkill for the problem at
hand.  Many of the wacky changes I've had to made to our Kerberos
tree were driven by site policy (and not ones that come from me;
these are from the people that give us money).  But I've never felt
the need to implement a policy system, and looking back over what
I had to do, I'm not sure I would have benefited from such a thing.
As you point out, such things end up being complicated ... and the
changes I had to make to the bits of code are rather small (it just
ended up being a lot of them, but I'm not sure that it would have been
any savings considering the effort of creating a policy system).
I have to believe that changing the library _not_ to pop up a dialog
box can't be that big of a change, and there are certainly plenty of
places to stuff the information to tell the library how to behave.

>Otherwise, you're just annoying the user by forcing them to perform 
>unnecessary steps that the computer should be able to automate. And 
>isn't that what computers are for?

As for the actual feature request ... I'm of two minds about it (not
that I have any actual influence either way :-) ).  When you get right
down to it, in a system with a nice graphical UI, you _expect_ things
to be helpful, like putting up a password dialog when you need to enter
your password.  But I agree it's important to train users to only enter
their Kerberos password into the few places where Kerberos passwords
go.  But ... if you can pop up a dialog box onto someone's screen,
then the game is already over IMHO.  But it wouldn't surprise me if a
site had a policy prohibiting the auto-password dialog from being used,
and it would be shame if you couldn't use the shipped Mac Kerberos
at such a site (not that any site that I'm aware of has such a policy
today).

--Ken

More information about the krbdev mailing list