[39177] in Kerberos
Re: appl/simple/client/sim_client.c uses internal APIs
daemon@ATHENA.MIT.EDU (Chris Hecker)
Fri Feb 24 14:04:50 2023
MIME-Version: 1.0
In-Reply-To: <202302241851.31OIoxtL003399@hedwig.cmf.nrl.navy.mil>
From: Chris Hecker <checker@d6.com>
Date: Fri, 24 Feb 2023 11:59:14 -0700
Message-ID: <CAOdMLc19t_+186fkhtBtP9g_CLacTu7AjGeBjWT9FAzWQ4O=tA@mail.gmail.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Yeah, by portable I meant I just compile the parts of krb5 client code I
need when necessary. The krb5 client is very portable and fairly small. I
strip out some stuff I don’t use, but not too much.
Chris
On Fri, Feb 24, 2023 at 11:51 Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
> >I have said this before on the list and it’s not a very popular thing to
> >say, but I program to the krb5 public API, and it is a nice and clean and
> >performant and simple and portable and flexible API, and GSSAPI looks like
> >none of those things, it looks like a mess to use (just from looking at it
> >for my needs, I have never programmed with it). So, I hope there isn’t
> >some movement to deprecate the lowlevel public krb5 API, because it is
> very
> >useful for me at least.
>
> Dude, you are NOT the only one who feels that way, and I can't even
> BELIEVE people argue otherwise! Yes, the GSSAPI is a mess; there is
> no getting around it. The krb5 API is about 100x simpler (there are
> more functions, true, but most of the time you only need a handful
> of them). I've used both; there's just no comparison. I understand
> why the GSSAPI was created and the point of it and I use it when I
> feel it is appropriate; I understand why it is specified in protocol
> standards. But in the service of making it "generic" it ended up being
> very complicated. And if you want to have your protocol only require a
> single round trip, you're stuck either calling the krb5 API directly OR
> assuming that your GSSAPI mechanism will complete in a single round trip
> (the latter is what Microsoft chose for their GSSAPI HTTP protocol),
> which in my mind kind of negates the "g" in GSSAPI.
>
> However, one thing is worth mentioning: in my experience the GSSAPI
> is portable. The details of the krb5 API are basically tied to the
> particular Kerberos implementation you're using, and that means you're
> stuck either with a lot of compatibility code OR you have to compile
> your preferred Kerberos implementation for your target platform, which
> presents it's own issues. If I want a truly portable application then I
> do use the GSSAPI.
>
> --Ken
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
