[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Behavioural differences in Heimdal and MIT [was: Re: API differences between Heimdal and MIT]

On Wed, Feb 15, 2006 at 07:38:06AM -0500, Buck Huppmann wrote:

> getting completely outside the box, the application needn't even call
> krb5_kuserok() and just do what it thinks is right, given the auth-
> enticated principal. i think that's probably the right thing to do,
> since kerberos is an authentication system, after all, not an author-
> ization system.

Yes, making krb5_kuserok() officially deprecated may be a good idea.
Nowadays the use of PAM is widespread and writing a PAM module that
implements krb5_kuserok() functionality for those who need it should be
easy. Deprecating krb5_kuserok() should be coordinated with MIT however.


     MTA SZTAKI Computer and Automation Research Institute
                Hungarian Academy of Sciences