[44] in athena10
Re: Building our own Kerberos
daemon@ATHENA.MIT.EDU (Tim Abbott)
Sat Jan 12 02:06:18 2008
Date: Sat, 12 Jan 2008 02:06:05 -0500 (EST)
From: Tim Abbott <tabbott@MIT.EDU>
To: Greg Hudson <ghudson@mit.edu>
cc: athena10@mit.edu, debathena@mit.edu
In-Reply-To: <1200119315.6088.15.camel@error-messages.mit.edu>
Message-ID: <Pine.LNX.4.64L.0801120134150.26368@mega-man.mit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
We considered the divert option when deciding to build our own Kerberos,
but there are a few difficulties.
We'd have to be careful that the wrapper correctly parsed the arguments to
kinit so that (e.g.) "kinit -5" would still work correctly.
Also, the kinit binary does self-document whether its default is to get
just 5 tickets or 5 and 4 tickets, which may result in some confusion.
There are also advantages to not changing the default kinit behavior.
For people who use other Kerberos realms as well (e.g. CSAIL folks), kinit
-54 tabbott@CSAIL.MIT.EDU gives an error.
-Tim Abbott
On Sat, 12 Jan 2008, Greg Hudson wrote:
> I wonder if we could also just install a wrapper script
> for /usr/bin/kinit using a diversion.
>
> Right now if you were to kinit and not get new krb4 tickets, you would
> mostly suffer from:
>
> * Zephyr won't work. That may be fixed by Athena 10 because we've
> received patches for krb5 zephyr (though I won't have time to review
> them until February). Of course, if we're using the native Debian
> package we'll need to get them to take an update, but I believe the
> person who submitted the krb5 patches to me (Karl) is also the person
> who maintains the Debian package, so that shouldn't be a big deal.
>
> * Kerberos authentication to the PO servers won't work. All of the
> IMAP clients support krb5 auth (if they supported krb4 auth, at least)
> but the PO servers don't have it turned on. I have no idea what NIST's
> schedule is here. nmh is also a problem since krb5 KPOP is somewhat
> unlikely to ever happen; background ideas on this range from figuring
> out how to get GNU mailutils to work as an nmh replacement to finding a
> way to hack "inc" to use krb5 IMAP.
>
>
>
