help-shishi
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Broken k5login authentication type.

From: Simon Josefsson
Subject: Re: Broken k5login authentication type.
Date: Wed, 08 Aug 2012 14:11:36 +0200
User-agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/23.3 (gnu/linux) 
Mats Erik Andersson <address@hidden> writes:

> onsdag den  8 augusti 2012 klockan 13:10 skrev Simon Josefsson detta:
>> Mats Erik Andersson <address@hidden> writes:
>> 
>> > My preferred interpretation is that
>> >
>> >   shishi_authorize_p (h, "k5login");
>> >
>> > should only set authorization type "k5login", nothing more, nothing less.
>> > Allowing the fall back is equivalent to make the above call be equal to
>> >
>> >   shishi_authorize_p (h, "k5login basic");
>> >
>> > I find it important to be able to enforce a distinction here.
>> 
>> Good point, I agree.
>> 
>> It feels a bit awkward for every application to provide the "k5login
>> basic" string though. What if we want to introduce something new by
>> default in the future?  Maybe there should be a "default" authorization
>> string that maps to (currently) "k5login basic".  Then most applications
>> could use that, and we'd be more future safe.  Thoughts?
>
> For all readers, let me recall that the default effect of
> shishi_init_server() is identical to executing
>
>    shishi_authorize_p (h, "basic");
>
> Thus authorizing access only for identical remote and local user names.
> Each call to shishi_authorize_p() erases the previous setting and
> attempts to set new authorization types, so there is no incremental
> effect here, which is perfectly desireable.
>
> An alternative to the present state would be to initialize the server
> with both types "basic" and "k5login" in shishi_init_server().
>
> Probably better would be a configuration value like
>
>      ## etc/shishi/shishi.conf
>
>      ## Default authorization setting of servers.  The default setting
>      ## is "k5login basic", but administrators are urged to check this.
>      ##
>      #authorization-default=k5login basic
>
> This would make the library setting transparent and it would increase
> the awareness of the matter in each administrator using Shishi as their
> preferred Kerberos support. Including "k5login" probably eases the
> migration to libshishi in multi-system environments.

That seems nice -- and presumably then we would remove the "k5login
basic" stuff from InetUtils?

Thanks,
/Simon
reply via email to
[Prev in Thread] Current Thread [Next in Thread]