Null realms and servers
Nicolas Williams
Nicolas.Williams at sun.com
Wed Dec 20 12:05:54 EST 2006
On Fri, Dec 15, 2006 at 09:25:46PM -0500, Sam Hartman wrote:
> Nicolas> IMO, no, it's not acceptable for
> Nicolas> krb5_sname_to_principal() to return a NULL realm.
>
> That's nice. The time for this comment would have been months ago or
> at the latest when the code was introduced.
I've thought about this further. And I've reached the same conclusion
w.r.t. krb5_sname_to_principal() as I had (much earlier) about
GSS_Canonicalize_name():
- Principal name canonicalization requires credentials in order to do
it securely, therefore krb5_sname_to_principal() is a bad API and
should be deprecated.
The correct interface for principal name/realm canonicalization is
krb5_get_credentials().
(And the GSS-API requires a new function, say,
GSS_Canonicalize_name_with_cred().)
It may yet turn out that the MIT krb5 1.6 change to
krb5_sname_to_principal() causes backwards compatibility problems that
go beyond krb5_kt_get_entry(). If so I'm sure MIT will reconsider this
particular change as alternatives seem to exist. In the meantime I
withdraw my objection.
Nico
--
More information about the krbdev
mailing list