Fw: Kerberos MIT on Solaris

Will Fiveash will.fiveash at oracle.com
Mon Aug 23 20:17:29 EDT 2010

On Mon, Aug 23, 2010 at 03:46:31PM -0500, Will Fiveash wrote:
> On Mon, Aug 23, 2010 at 01:41:22PM -0700, Russ Allbery wrote:
> > Will Fiveash <will.fiveash at oracle.com> writes:
> > 
> > > Well, libkrb5 is supported in Solaris 10, however (as noted),
> > > Solaris libgss != MITKC libgssapi_krb5 
> > > in regards to interfaces.  Really though, the point of libgss is to
> > > insulate a caller from the specifics of security mech used.  If the
> > > caller needs to do krb specific things then it should link with libkrb5.
> > 
> > Assuming that your API split between libkrb5 and the GSSAPI interface is
> > similar to that in MIT, I don't believe there's any function in libkrb5
> > that is a substitute for gss_krb5_ccache_name.  But maybe on Solaris you
> > moved that function to libkrb5?
> It isn't supported in Solaris yet.

I'll expand on this a bit more.  Solaris libgss presents a security
mechanism neutral API whereas libgssapi_krb5 does not as evidenced by
the function name gss_krb5_ccache_name.  While I can understand why such a
function exists, it still violates the basic point of the GSS-API.
Maybe Solaris needs a libgssapi_krb5 that provides such functions but I
wouldn't want to see them in libgss.

Will Fiveash
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/

More information about the krbdev mailing list