[39181] in Kerberos
Re: appl/simple/client/sim_client.c uses internal APIs
daemon@ATHENA.MIT.EDU (Florian Weimer)
Fri Feb 24 14:32:16 2023
From: Florian Weimer <fweimer@redhat.com>
To: Sam Hartman <hartmans@debian.org>
Cc: Simo Sorce <simo@redhat.com>, kerberos@mit.edu
Date: Fri, 24 Feb 2023 20:27:58 +0100
In-Reply-To: <tslfsavt63p.fsf@suchdamage.org> (Sam Hartman's message of "Fri,
24 Feb 2023 08:50:50 -0700")
Message-ID: <878rgmn9s1.fsf@oldenburg.str.redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
* Sam Hartman:
>>>>>> "Florian" == Florian Weimer <fweimer@redhat.com> writes:
>
> Florian> * Sam Hartman:
> >>>>>>> "Simo" == Simo Sorce <simo@redhat.com> writes:
> >>
> Simo> Wherever possible you should recommend people use GSSAPI and
> Simo> not krb5 APIs directly, unless they are building tools
> Simo> specifically to manage aspects of krb5 (acquiring tickets,
> Simo> managing ccaches, etc.)
> >>
> >> I agree with the above. I also think that the simple client
> >> referred to in the subject has a bunch of anti-patterns. As an
> >> example, I don't think it integrity protects or encrypts its
> >> exchanges; I think it's too simple to actually be useful in
> >> today's world.
> >>
> >> That said, it looks like krb5_auth_con_genaddrs is probably the
> >> API you want to use instead of krb5_gen_portaddr. It takes an
> >> auth context and a socet FD and extracts addresses from the
> >> socket FD.
> >>
> >> I suspect that the auth context machinery will generate the
> >> replay cache name for you, and again, you don't need that API
> >> either. But please use GSS-API instead:-)
>
> Florian> I need to fix Authen::Krb5 (a Perl wrapper) not rely on
> Florian> this krb5 internals. Obviously, this is going to stay a
> Florian> krb5 wrapper, and won't switch to GSSAPI. So I'd really
> Florian> appreciate if someone would fix the
> Florian> appl/simple/client/sim_client.c example not to rely on
> Florian> <k5-int.h>, so that I can apply the parallel changes to the
> Florian> Perl port of this example code.
>
> That code is not maintained, and I'd probably fix it with git rm.
> If you'll point me at upstreams sources for authen::krb5 I'll take a
> look and figure out a recommendation for whether delete or some sort of
> repair is best in that case.
The Perl translation is here:
<https://metacpan.org/release/IOANR/Authen-Krb5-1.905/source/eg/simple_client>
It's not an exact tranlation of the C because it creates a replay cache:
# create the replay cache
($l,$r) = $ac->getaddrs();
$lap = Authen::Krb5::gen_portaddr($l,$s->sockport());
$rcn = Authen::Krb5::gen_replay_name($lap,"foobar");
$rc = Authen::Krb5::get_server_rcache($rcn);
$ac->setrcache($rc);
The setrcache part is missing in the C version, it seems.
If the Perl example is still broken, we should of course remove it.
Thanks,
Florian
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
