Re: Broken k5login authentication type.

[Mats Erik Andersson]

onsdag den  8 augusti 2012 klockan 13:10 skrev Simon Josefsson detta:
> Mats Erik Andersson <address@hidden> writes:
> 
> > My preferred interpretation is that
> >
> >   shishi_authorize_p (h, "k5login");
> >
> > should only set authorization type "k5login", nothing more, nothing less.
> > Allowing the fall back is equivalent to make the above call be equal to
> >
> >   shishi_authorize_p (h, "k5login basic");
> >
> > I find it important to be able to enforce a distinction here.
> 
> Good point, I agree.
> 
> It feels a bit awkward for every application to provide the "k5login
> basic" string though. What if we want to introduce something new by
> default in the future?  Maybe there should be a "default" authorization
> string that maps to (currently) "k5login basic".  Then most applications
> could use that, and we'd be more future safe.  Thoughts?

For all readers, let me recall that the default effect of
shishi_init_server() is identical to executing

   shishi_authorize_p (h, "basic");

Thus authorizing access only for identical remote and local user names.
Each call to shishi_authorize_p() erases the previous setting and
attempts to set new authorization types, so there is no incremental
effect here, which is perfectly desireable.

An alternative to the present state would be to initialize the server
with both types "basic" and "k5login" in shishi_init_server().

Probably better would be a configuration value like

     ## etc/shishi/shishi.conf

     ## Default authorization setting of servers.  The default setting
     ## is "k5login basic", but administrators are urged to check this.
     ##
     #authorization-default=k5login basic

This would make the library setting transparent and it would increase
the awareness of the matter in each administrator using Shishi as their
preferred Kerberos support. Including "k5login" probably eases the
migration to libshishi in multi-system environments.


Best regards,

  Mats E A