Requesting Anonymous as a client

Sam Hartman hartmans at MIT.EDU
Fri Dec 18 15:22:32 EST 2009

It seems like no one has had any serious objections to my plan of
signaling that anonymous is in use with the WELLKNOWN/ANONYMOUS

There is a related question of how to request anonymous as a client.
The easiest way to do this, and what I'm doing now, is to see if the
client is requesting WELLKNOWN/ANONYMOUS in krb5_get_init_creds (and
related async friends) and if so, set the anonymous KDC option.  When I
did the project write up, I assumed that a convenience API would be
required, but it turns out in practice it was easy to make kinit

My current code does make it impossible to request the
WELLKNOWN/ANONYMOUS principal either with the anonymous KDC option
cleared or with a a name type other than KRB5_NT_WELLKNOWN.  It would be
possible to create a conforming implementation that handled the
anonymous principal with a different name type and with the KDC option
cleared as something other than anonymous.
I do not think this is likely at all nor is it something we should
concern ourselves with.

So, I think using the client principal name as a way to signal anonymous
within our API is fine.

I'm less sure that exposing that as a user interface is ideal.  In
particular, I'm not sure that we want users to remember that principal
name.  However I don't really have better options.

If we do want to expose a different UI, we need to do so in kinit and
kadmin.  Exposing new credentials options in kadmin is a bit tricky.



More information about the krbdev mailing list