[OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?

Jeffrey Altman jaltman@secure-endpoints.com
Thu, 30 Aug 2007 03:30:15 -0400 

Henry B. Hotz wrote:

> Feel free to add them, especially if you think MIT might actually devote
> some implementation resources.  I'm not excluding anybody.  I added
> OpenAFS because I wanted to talk about PAGs and thought it might spur
> some OpenAFS developer to contribute.

MIT is unlikely to contribute resources.  They don't have any.
However, if you want to get anything implemented by anyone and have
it accepted by the OS vendors who for the most part build their
environments using MIT Kerberos, you had better have them in the loop.

This thread has gone from a discussion of how to share a MEMORY
credential cache between MIT and Heimdal Kerberos implementations when
they are loaded into the same process (for example in Python or Perl
modules) to just about every other topic that could be associated with
a credential cache including PAGs.

In my opinion here are the work items that people can put resources to
that will prove useful in the short term:

1. Compatible plug-in architectures for credential caches and replay
   caches in Heimdal and MIT Kerberos.  The two implementations are
   already extremely similar.  It would not be hard to develop a common
   Service Provider Interface that third party caches could use.
   Separate modules would still have to be produced for both Heimdal
   and MIT Kerberos but they could be compiled from a common source
   code base that shared 98% of the code.

2. Development of third party cache implementations that make use of
   OS specific functionality.  Or contribute resources to assist MIT
   in implementing the CCAPI for UNIX.  They have a new C language
   implementation that is being used on MacOS X that can be used as
   the basis for implementations for other UNIX like operating systems.

The combination of the first two would provide a long term solution
to the subject that originally got this thread started.

3. Take a baseball bat and hit the sales reps from the major OS vendors
   over the head that they have to support session or process group
   scoped stores for credential data.  File based caches suck for
   all the obvious reasons.  But it is only when the OS vendor says that
   XYZ is the system's cache that you will find all of the Kerberos
   implementations commit to using it.  Its not just MIT and Heimdal
   that are important but all the Java implementations, Mono, CyberSafe,
   Quest, etc.

Jeffrey Altman