Kerberos v4 Common Cache & Tickets Project

Proposed Common Cache API

Here's the 970908 version (revision 4) of the CacheAPI document.

Here's the 970725 version (revision 3) of the CacheAPI document.

Here's a revised version of Ted T'so's Proposal for a common V5 cache. It contains a section that lists what we changed.

Background research

• Jenny's page of references on Memory Mapped Files
  
  

• Ted's Kerberos V5 Credentials Cache DLL draft specification
  
  

• What does an MIT cache (1997) look like?

  • Here's a dissected example of an MIT cache with 3 tickets.
  
  

• What does a Kerb95 cache look like?

  • Here's a dissected example of a Kerb95 cache with 1 (tgt) ticket.
  
  

• Slightly higher level analysis

  • what's in the caches, data types, what's different, what's the same, what are the problems.
  
  

• Miscellaneous

  • Where configuration information is stored

Criteria

• Test by mid-July, deploy before fall semester begins
• Works on both Win95 & NT
• Shared cache and tickets among all 32 bit kerberos v4 DLLs
• Single signon, or appearance of (e.g. all tickets fetched during login as Transarc does)
• Minimize the # of dialog boxes that say "Gimme your kerberos password"
• Cache should hold tickets for multiple principals (e.g. administrator & user)
• Cache should hold tickets from multiple realms for single principal (e.g. sgr@umich.edu & sgr@caen.engin.umich.edu) Or is this the same as multiple principals?
• Shared cache and tickets with 16 bit krbv4win.dll (via named pipes, thunks, or OLE)

Strawman Proposals

• Plan A

  Use K95 code as base for cache DLL. Have MIT code call K95 API. Here's a proposed mapping of MIT calls to K95 interface. I'm sure this isn't complete, or completely correct.
  • Pros:
    • Shortest route to common v4 cache?
  • Cons:
    • Doesn't do much towards goal of cache DLL useable for v5

• Plan B

  Implement Ted's Cache DLL. Have both MIT and K95 call it. I haven't got a proposed mapping yet.
  • Pros:
    • Useable for V4 and V5 tickets.
    • Can store multiple principals. A cache has "named" subsets, (via cc_create & cc_open) each with it's own "principal".
  • Cons:
    • Ted's API doesn't provide functions to get things out of tickets. It stores & retrieves opaque tickets (and a "principal"). We could provide the routines to access ticket parts. Is this another DLL, or additional fcns in the cache DLL?

Free Advice

You get what you pay for but, a bit of advice I was given long ago seems pertinent:

Never let one person design both sides of an interface. They'll take shortcuts and do things on "the easy side". You should have two people, one on each side of the interface, and they have to work out all the interface details. -- Bob Husak

Last update: 16 June 1997 by sgr@umich.edu