[1707] in Kerberos-V5-bugs
Re: K5 recvauth question
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Fri Nov 3 16:24:15 1995
Date: Fri, 3 Nov 1995 16:24:03 -0500
From: Theodore Ts'o <tytso@MIT.EDU>
To: hyc@locus.com
Cc: krb5-bugs@MIT.EDU
In-Reply-To: Howard Chu's message of Thu, 2 Nov 1995 17:24:39 -0800,
<9511030124.AA45527@troy.la.locus.com>
First of all, the use of sendauth/recvauth is something which I would in
generally recommend against using. It's provided as a convenience
function for someone who wants to hack a quick kerberized client/server
application together. However, for anything that's going to be more
enduring, I would recommend either using the GSSAPI, or if you need
specialized features of the Kerberos protocol like user-to-user
authentication, which aren't supported by the GSSAPI (or by
sendauth/recvauth I might add), then you should use the native Kerberos
API directly.
In general, you're right. The application specific version string
doesn't work very well, and we probably should have left it the same as
in V4, where it was only passed back to the client. I don't see any
great need to change the protocol, though. (That would break backwards
compatibility for things like rlogin, etc., which I'd like to avoid if
possible.)
If an application protocol wants to do something fancy, it can just put
a fixed string for the application version string, and do its own
protocol version negotiating after the sendauth/recvauth sequence is
completed, outside of sendauth/recvauth.
- Ted
