On Mon, Jan 15, 2007 at 08:50:47PM +0000, Mark McLoughlin wrote: > On Thu, 2007-01-11 at 00:39 +0000, Daniel P. Berrange wrote: > > > Finally, one could simply say, this is all rather complicated, why don't > > we just use a simple username+password for everything. While this would > > be nice from a coding POV, I think we need to be forward looking and > > ensure we're setup to cope with things like Kerberos single-sign-on. > > This is why I'm looking at SASL for the QEMU authentication process - if > > you use libsasl.so you're app doesn't even need to know what auth method > > it is using - the admin can simple create an appropriate config file > > for sasl, and bingo you're fully kerberized & single sign-on capable. > > SASL and all it entails does seem like the only sane approach. > > Perhaps look at the D-Bus API ... I vaguely remember being impressed at > the work Havoc did with SASL in D-BUS. This is a joke, right :-) D-Bus auth protocol was indeed designed to allow a SASL impl to be dropped in, but AFAIR neither the client/server side was ever implemented in the code, since its not needed for local node only comms. There's still a nice big TODO item there. > Also, it might be nice to keep all the "remote stuff" nicely isolated > from the rest of the libvirt API which is nice and straightforward right > now. Yeah, I really don't want to push a complex API onto all users of the library. Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|