Kristen J. Webb wrote:
Hi Simon,My current concern with the GSSAPI approach is that I do not understand how tightly bound it is with Kerberos yet (or vice-versa). Is it possible that I may run into situations where Kerberos is used w/o access to gssapi libraries?
From my perspective the win with GSSAPI is that not only do you obtain a higher degree of platform portability with GSSAPI than you do with Kerberos v5 APIs, but you also obtain a high degree of protocol interoperability. If you restrict yourself to GSSAPI you are able to write services for UNIX that can communicate with Windows Kerberos SSP based clients; or Windows Kerberos SSP based services that communicate with UNIX GSSAPI clients. In addition, not all of the major UNIX operating systems expose Kerberos APIs. The biggest one is Solaris which provides GSSAPI and no Kerberos v5. Another reason for avoiding the direct Kerberos v5 APIs is that it is not simply a MIT vs Heimdal world. The GNU implementation is different and even in the MIT derived family of implementations there are differences. Sun has modified a number of interfaces that make direct compilation against their headers (if they were available) an additional level of complexity. Ken H. is correct that if all you want to do is use Kerberos v5 and you know that is what you need, it is much easier to add Kerberos v5 authentication by coding to one of the implementations. It is only when the added complexity of dealing with all of the incompatible APIs that you are left wondering if the long term support costs are worth the short term gain in ease of implementation. Regardless of which method you decide to follow I believe that dynamically selecting the library to load at runtime has major benefits for an application provider. Doing so permits you to work with a variety of implementations based upon the choices of the local system administrator and not be dependent upon the choices of the operating system packager. I too would avoid SASL unless you absolutely need it because the protocol you are implementing specifies it. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
