Re: Encryption

From: Ivan Popov <>
Date: Wed, 7 Apr 2004 10:39:22 +0200
On Wed, Apr 07, 2004 at 01:32:27AM +0200, Michael Tautschnig wrote:
> > There should be _no_ hostname used for the auth service principal,
> > we were just inventing a problem.
> What else should that be then? Something like coda/coda.realm_at_REALM

exactly, one service principal per (Coda realm, Kerberos realm) is sufficient,
like coda/coda.realm_at_KRB.REALM as you say
(note that the existing code forces one Coda realm - one Kerberos realm
relation, while a Coda realm could otherwise use services of more than one
independent Kerberos realms as well)

> > I do not think either that the code is worth improving.
> > I'd rather like to replace it with the experimental new modular one.
> Is there any yet? Where can I find it?

You can't :) unless you proclaim to be really determined to change the world :)

There is a rewritten clog suite but it is basically waiting for
1. completion (working fine but some details should be fixed like
   server side rewrite and merging all implemented authentication
   methods (*-gss))
2. token format change which is desirable for some reasons including
3. changes in Coda identity database to embrace more general
   identities namespace
4. approval :) of Jan & Satya which seems a questionnable thing given the deep
   impact and incompatibilities introduced by the steps above

The earliest point where it could be present (if at all) is probably
unplanned yet Coda 7 ... ?

For the moment I am running it since December in "compatibility" configuration
and may be it is worth merging "as-is" - but it will certainly break some
setups. E.g. pam_kcoda should be rewritten to interact with it.
(put it as "1a" in the list above...)

Probably you are better off using the existing code with your patch.
(btw, I guess your patch could help as well by forcing to lowercase,
then it would be possibly more compatible with the "usual case"?)

