[29744] in Kerberos
Re: advice on kerberizing products
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Thu Apr 24 09:45:34 2008
Message-ID: <48108E5A.5080609@anl.gov>
Date: Thu, 24 Apr 2008 08:42:50 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: "Kristen J. Webb" <kwebb@teradactyl.com>
In-Reply-To: <480FB442.3040104@teradactyl.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Kristen J. Webb wrote:
> Hi Simon,
>
> My current concern with the GSSAPI approach is that
> I do not understand how tightly bound it is
> with Kerberos yet (or vice-versa). Is it possible
> that I may run into situations where Kerberos
> is used w/o access to gssapi libraries?
>
In addition to Ken Raeburn's comments, the original Solaris 10
shipped with the GSSAPI, but hid the underlying Kerberos API.
But last year they relented and exposed the Kerberos API too.
On Windows the Microsoft SSPI has a different API then GSSAPI,
but they use the same protocol, and can interoperate with
other GSSAPI implementaitons.
Although GSSAPI is generic, and can have more mechanisms then
Kerberos, Kerberos is the predominant mechanism for GSSAPI.
I would go with GSSAPI if at all possible.
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
