[39189] in Kerberos
Re: appl/simple/client/sim_client.c uses internal APIs
daemon@ATHENA.MIT.EDU (Nico Williams)
Fri Feb 24 15:55:33 2023
Date: Fri, 24 Feb 2023 14:50:35 -0600
From: Nico Williams <nico@cryptonector.com>
To: Russ Allbery <eagle@eyrie.org>
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@mit.edu
Message-ID: <Y/kjG1LGtq1XRLKO@gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <878rgmhl3q.fsf@hope.eyrie.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, Feb 24, 2023 at 12:19:53PM -0800, Russ Allbery wrote:
> Nico Williams <nico@cryptonector.com> writes:
> > If you're just trying to set up a GSS context between a client and a
> > server, then GSS is really simple, and much simpler than the krb5 API.
>
> I'm very dubious about this statement. The requirement to handle
> negotiation and potential multiple round trips and all the complexity with
> major and minor status codes makes the equivalent GSS code complicated and
> annoying.
If you're using SPNEGO then you don't have to concern yourself with
negotiation. If you're implementing SSHv2 or SASL it's another story,
though not much more complicated because you're doing negotiation at a
layer that already does it and all you have to do is maybe pick a GSS
mechanism.
RFC 7546 exists.
I've written a fair amount of app code using krb5 and GSS APIs, and I
strongly prefer GSS code.
> GSS pays a significant price for being a generic mechanism with a
> negotiation method, and the API does not hide that price from the
> programmer.
It does pay a price, but if all you need is encrypted sessions, then
it's simple.
GSS does have some ugly things, mainly OIDs, but also not having
something like a krb5_context. Regarding not having a krb5_context,
I've played with a couple of ways to fix that in Heimdal: either a)
enhancing the `OM_uint32 *minor_status` to be a more complex, opaque
object, or b) adding configuration key/value parameters to the
`cred_store` used in `gss_acquire_cred_from()`.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
