[17205] in Kerberos_V5_Development
Re: gss_pname_to_uid: is that the right interface
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Love_H=F6rnquist_=C)
Thu Sep 22 16:24:46 2011
X-KTH-mail-from: lha@h5l.org
Mime-Version: 1.0 (Apple Message framework v1250.4)
From: =?iso-8859-1?Q?Love_H=F6rnquist_=C5strand?= <lha@h5l.org>
In-Reply-To: <12ab01cc7907$42ec34d0$c8c49e70$@edu>
Date: Thu, 22 Sep 2011 16:18:43 +0200
Message-Id: <D034B791-BD05-4EF4-A844-33069CD2B8A4@h5l.org>
To: Danilo Almeida <dalmeida@mit.edu>
Cc: "'Nico Williams'" <nico@cryptonector.com>, lukeh@padl.com,
"'Sam Hartman'" <hartmans@mit.edu>, krbdev@mit.edu,
"'Simo Sorce'" <simo@redhat.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
22 sep 2011 kl. 11:08 skrev Danilo Almeida:
> Adding OS authorization notions such as username or uid as a new calls into
> GSSAPI seems like a really bad idea
Not having it creates security bugs, there are plenty examples where people do gss_display_name() and then cut the string at the @ and call it a username.
Love
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
