Integration of k5start/krenew functionality
Ken Raeburn
raeburn at MIT.EDU
Mon Aug 3 03:48:28 EDT 2009
On Aug 2, 2009, at 23:47, Greg Hudson wrote:
>> Can we do it with a tiny plugin module that can either be installed
>> or
>> not depending on whether you need the AFS support,
>
> I am reluctant to add any build dependencies of any kind on AFS,
> because
> AFS depends on krb5.
Actually, I was thinking the plugin wouldn't be in the krb5
distribution, but a separate thing (maybe in krb5-appl, which already
depends on both krb5 and optionally openafs, or maybe folded into the
openafs package, except for the mit-vs-heimdal issues). In terms of
build dependencies, it would depend on Kerberos, but not the other way
around. The basic Kerberos package would just have a callback hook
for a somewhat specialized purpose.
> Finally, in regards to coupling a ccache to a keytab at the library
> level: I have even more reservations on this front after thinking
> about
> it further. The as-req code path is fundamentally more complicated
> than
> the tgs-req code path because of the open-ended nature of the preauth
> framework. For example, you might need pkinit to perform an as-req,
> and
> pkinit relies on OpenSSL, which does not want to be linked into the
> same
> process as GPL'd code. I'm very uncomfortable with the idea of
> krb5_get_credentials() potentially performing an as-req at this time.
Good point; I hadn't thought of that.
Ken
More information about the krbdev
mailing list