Mats Erik Andersson <[email protected]> writes: > onsdag den 8 augusti 2012 klockan 13:10 skrev Simon Josefsson detta: >> Mats Erik Andersson <[email protected]> writes: >> >> > My preferred interpretation is that >> > >> > shishi_authorize_p (h, "k5login"); >> > >> > should only set authorization type "k5login", nothing more, nothing less. >> > Allowing the fall back is equivalent to make the above call be equal to >> > >> > shishi_authorize_p (h, "k5login basic"); >> > >> > I find it important to be able to enforce a distinction here. >> >> Good point, I agree. >> >> It feels a bit awkward for every application to provide the "k5login >> basic" string though. What if we want to introduce something new by >> default in the future? Maybe there should be a "default" authorization >> string that maps to (currently) "k5login basic". Then most applications >> could use that, and we'd be more future safe. Thoughts? > > For all readers, let me recall that the default effect of > shishi_init_server() is identical to executing > > shishi_authorize_p (h, "basic"); > > Thus authorizing access only for identical remote and local user names. > Each call to shishi_authorize_p() erases the previous setting and > attempts to set new authorization types, so there is no incremental > effect here, which is perfectly desireable. > > An alternative to the present state would be to initialize the server > with both types "basic" and "k5login" in shishi_init_server(). > > Probably better would be a configuration value like > > ## etc/shishi/shishi.conf > > ## Default authorization setting of servers. The default setting > ## is "k5login basic", but administrators are urged to check this. > ## > #authorization-default=k5login basic > > This would make the library setting transparent and it would increase > the awareness of the matter in each administrator using Shishi as their > preferred Kerberos support. Including "k5login" probably eases the > migration to libshishi in multi-system environments.
That seems nice -- and presumably then we would remove the "k5login basic" stuff from InetUtils? Thanks, /Simon _______________________________________________ Help-shishi mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-shishi
