Requesting Anonymous as a client
Sam Hartman
hartmans at MIT.EDU
Fri Dec 18 15:22:32 EST 2009
It seems like no one has had any serious objections to my plan of
signaling that anonymous is in use with the WELLKNOWN/ANONYMOUS
principal.
There is a related question of how to request anonymous as a client.
The easiest way to do this, and what I'm doing now, is to see if the
client is requesting WELLKNOWN/ANONYMOUS in krb5_get_init_creds (and
related async friends) and if so, set the anonymous KDC option. When I
did the project write up, I assumed that a convenience API would be
required, but it turns out in practice it was easy to make kinit
WELLKNOWN/ANONYMOUS at REALM just work.
My current code does make it impossible to request the
WELLKNOWN/ANONYMOUS principal either with the anonymous KDC option
cleared or with a a name type other than KRB5_NT_WELLKNOWN. It would be
possible to create a conforming implementation that handled the
anonymous principal with a different name type and with the KDC option
cleared as something other than anonymous.
I do not think this is likely at all nor is it something we should
concern ourselves with.
So, I think using the client principal name as a way to signal anonymous
within our API is fine.
I'm less sure that exposing that as a user interface is ideal. In
particular, I'm not sure that we want users to remember that principal
name. However I don't really have better options.
If we do want to expose a different UI, we need to do so in kinit and
kadmin. Exposing new credentials options in kadmin is a bit tricky.
Thoughts?
--Sam
More information about the krbdev
mailing list