[27781] in Kerberos
Re: @ character in username
daemon@ATHENA.MIT.EDU (Booker C. Bense)
Tue May 15 20:18:54 2007
In-Reply-To: <59DF7BB2-801F-4466-80B8-F994E1D242C2@stanford.edu>
Mime-Version: 1.0 (Apple Message framework v752.2)
Message-Id: <E421E33C-F2C3-48B4-B032-1FC796BCEF80@stanford.edu>
From: "Booker C. Bense" <bbense@stanford.edu>
Date: Tue, 15 May 2007 17:18:48 -0700
To: "Booker C. Bense" <bbense@stanford.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>
> On May 15, 2007, at 12:04 PM, Russ Allbery wrote:
>
>> Booker C Bense <bbense@stanford.edu> writes:
>>
>>> Kerberos code has changed a lot since 1993, but I suspect there are
>>> still bugs lurking in dealing with these kinds of things. If
>>> there is
>>> anything you can do to avoid using these kinds of principals I would
>>> highly recommend doing so.
>>
>> Hm, we're likely to start deploying users of this type in a
>> separate realm
>> for our guest authentication project. Does anyone have more recent
>> experience specifically with the K5 code? It looked to me from
>> reading
>> the code that it should work fine provided that the @ was always
>> escaped
>> whenever it was entered in text form.
>
> I think the key words here are "the @ was always escaped". Just like
> "lower case realms should not be a problem" and we both know how
> well that one worked out.
>
> If it was me, I would think really hard about this and try and map
> the guest accounts to things like
>
> user/foo.remote.com
>
> rather than
>
> user\@foo.remote.com
>
> Either way you're going to put a lot of work into wrapping and
> dealing with the primcipal. There is some chance 3rd party software
> will properly deal with the first and very little that it will get
> the second right. If you can control every piece of software that
> might touch the principal, you can probably get away with the do
> the latter. We eventually had code that dealt with things like this
"Dr. John Austin"@some.where.foo@EPRI.COM
I've no idea whether Cygnus ever bothered to feed it back upstream or
not.
_ Booker C. Bense
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
