Integration of k5start/krenew functionality

Ken Raeburn raeburn at MIT.EDU
Mon Aug 3 03:48:28 EDT 2009

On Aug 2, 2009, at 23:47, Greg Hudson wrote:
>> Can we do it with a tiny plugin module that can either be installed  
>> or
>> not depending on whether you need the AFS support,
> I am reluctant to add any build dependencies of any kind on AFS,  
> because
> AFS depends on krb5.

Actually, I was thinking the plugin wouldn't be in the krb5  
distribution, but a separate thing (maybe in krb5-appl, which already  
depends on both krb5 and optionally openafs, or maybe folded into the  
openafs package, except for the mit-vs-heimdal issues).  In terms of  
build dependencies, it would depend on Kerberos, but not the other way  
around.  The basic Kerberos package would just have a callback hook  
for a somewhat specialized purpose.

> Finally, in regards to coupling a ccache to a keytab at the library
> level: I have even more reservations on this front after thinking  
> about
> it further.  The as-req code path is fundamentally more complicated  
> than
> the tgs-req code path because of the open-ended nature of the preauth
> framework.  For example, you might need pkinit to perform an as-req,  
> and
> pkinit relies on OpenSSL, which does not want to be linked into the  
> same
> process as GPL'd code.  I'm very uncomfortable with the idea of
> krb5_get_credentials() potentially performing an as-req at this time.

Good point; I hadn't thought of that.


More information about the krbdev mailing list