Requesting Anonymous as a client

Sam Hartman hartmans at MIT.EDU
Tue Dec 22 09:48:14 EST 2009

In general I agree with Greg's approach.

I think that the transformation from @REALM to WELLKNOWN/ANONYMOUS at REALM
needs to happen within krb5_get_init_creds so that it can be shared by
kadmin, kinit and other applications.

Based on the designed scope of this project I think supporting I think
based on the scope of this project inferring the anonymous KDC option
from the principal in the fully anonymous case is desirable.  My reason
is that it means we don't have to wait for people to receive updates to
Authen::Krb5::admin and similar modules in order to use this support in
kadmin scripts.  Given that host enrollment is a specific goal that
seems worth it to me.  However, like Greg, my position on this issue is

 I'm not sure that using the default realm is appropriate.  Kinit
has some moderately involved logic to decide what principal to use .

Currently, on my plate is:
* Just completed transited realm changes (untested)
* Need to get kadmin working with canonicalization of the client

At that point  I think we'd have a version that (mod bugs) it would be
reasonable to ship.

Once I get to that point  I can use any remaining time to:

* Adapt kinit -n support I have to work as specified by Greg
* Introduce the API flag
* Add a -n option to kadmin and an API to the kadmin library.

I have time to work on this today and some time tomorrow, but I'd like
to be done with design changes after what time I have today and
tomorrow.  Let's see where we are and see whether we can accept the
result .

Obviously I'll be available for bug fixes and the like through the
release process.

More information about the krbdev mailing list