Skip Menu |

Subject: reconsider structure of code for locating and contacting kdc, krb524d, kpasswd
Download (untitled) / with headers
text/plain 1.3KiB
I think we might want to reconsider how Kerberos-related services are
located and how the communications are handled.

The use_master approach (see also ticket 1505) will result in
contacting the master KDC twice, if an incorrect password is given
and the master KDC is at the highest priority in the "normal" KDC

The send-to-server loop can initiate a TCP connection, shut it
down (after a response is received by UDP), and start it up again
(if the response was RESPONSE_TOO_BIG).

The DNS queries and message transmission are needlessly serialized
(see also ticket 1453).

The kpasswd protocol, since it uses a KRB_PRIV message, currently
requires that the sender and recipient addresses be encoded into
the message.

Various heuristics are used in different places for locating a
service (most often, "locate this other service, and tweak the
port numbers").

Perhaps some better framework can be devised for encompassing more of
the general functionality, and avoid some of the duplication of code
and traffic.

The first two issues might be resolved by allowing the processing of a
response to alter the set of servers being contacted, rather than
shutting down all the communications immediately.

It would probably also be useful to add hooks for letting the user
cancel attempts to reach the server (e.g., a "cancel" button).