Am 2021-11-20 um 18:25 schrieb Karl Wright:
These protocols are, unfortunately, still used.
ManifoldCF, which does much integration with windows
systems, supports Kerberos but only in the most hacky way, because there
wasn't anything more seamless available.
I would therefore counter-propose that Kerberos become a first-class
replacement to NTLM before NTLM is discontinued. By first-class, I mean
that it is possible to programmatically set up a kerberos connection
without an external config file. Maybe this is now possible; if so please
correct me.
Yes, this is impossible. Even impossible with MIT Kerberos. You must
have at least a krb5.conf and a JAAS login file. Read further.
I would love to be able to contribute to this effort, but I fear my day
job's responsibilities are so vast and growing that this will be
impossible. At best I can maintain the projects I have; new development is
out of the question at the moment.
This is purely a Java problem, not a Kerberos problem. The configuration
is inevitable because Java is portable otherwise you need to resort to
native APIs, e.g., JNA/JNA to SSPI or MIT Kerberos, but that would
require custom authenticators. There is now a SSPI
binding/implementation for JGSS, but it is not good. I told this Weijun
Wang already, but he's the only one at Oracle who is working on this,
read busy (read my mails on security-dev). Another huge issue is that
stupid JAAS/LoginModule/Subjec thing in Java. It does not have the
credential acquision API [1], [2] which MIT Kerberos introduced many
years ago, plus in does not even interact to store tickets on the local
FILE cache. I'd love to solve all of these issues, but it cannot just be
me in the Java world to solve a problem for miliions of devs. Nico
Williams of Six Sigma had bright ideas, but very little time.
Michael
[1]
https://pythongssapi.github.io/python-gssapi/stable/gssapi.raw.html#module-gssapi.raw.ext_cred_store
[2]
https://pythongssapi.github.io/python-gssapi/stable/gssapi.raw.html#module-gssapi.raw.ext_password
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
