Detecting user cancel in gss_init_sec_context

Miro Jurisic meeroh at
Wed Sep 24 12:35:28 EDT 2003

>>I would like there to be an error which unambiguously indicates 
>>that a krb5 call failed because the user cancelled
>There is no plan for this sort of enhancement.

Given that krb5 is still (as far as I know) not thread safe, I'd 
imagine it behooves you to allow the user to cancel any lengthy 
Kerberos operation (not just the login dialog), but I assume you will 
tell me this is also an enhancement that won't see the light of day 
any time soon.

Given the wide adoption that Kerberos is gaining in Mac OS X as of 
late, I expect that user experience will become increasingly 
important, and so I hope you will not be able to brush aside this 
problem for much longer.

If you think it would be more productive for me to file Radar bugs on 
the ways Kerberos API hurts user experience, I can do that.

>Because the dialog is not system-modal (like it was on Mac OS 9), 
>the user is free to ignore it and continue using other 
>non-Kerberized applications.  On a machine with a decent sized 
>monitor, the dialog isn't even particularly annoying.  I have 
>certainly left it on the screen for up to an hour because I was busy 
>doing something else and didn't care whether I got mail right away.

Do you have a reason to believe this is how most, or even many, users 
would behave? Also, don't forget you could alleviate this problem 
somewhat by making it clear which application caused the dialog to 
come up, just as Keychain does. That way, when the user cancels the 
dialog, he will at least know which app is going to fail as a result.

>>It seems to me that adding a new krb5 error code which signals this 
>>condition is the right solution, although I will look into using 
>>one of your proposed workarounds.
>Yes, it would be nice to get such an error with the existing 
>behavior.  However, since neither Jaguar nor Panther will have it, I 
>suspect that even if we added it for you in some later release, it 
>still wouldn't be useful because you have to support older OSes.

The fact that I would have to put in a workaround for older OSes by 
no means gives you an excuse not to consider a fix for the future.


<> | KB1FMP

A: Because it reverses the logical flow of conversation.
Q: Why is top posting frowned upon?

More information about the krbdev mailing list