Re: unified authentication

From: Robert Watson (rwatson_at_freebsd.org)
Date: 09/24/03

  • Next message: Jesse Guardiani: "Re: unified authentication"
    Date: Wed, 24 Sep 2003 15:59:44 -0400 (EDT)
    To: Jesse Guardiani <jesse@wingnet.net>
    
    

    On Wed, 24 Sep 2003, Jesse Guardiani wrote:

    > On Wednesday 24 September 2003 12:54, Matthew George wrote:
    > > On Wed, 24 Sep 2003, Jesse Guardiani wrote:
    > > > 1.) Kerberos
    > >
    > > krb is nice, but the problem with it is that all of your applications need
    > > to be kerberized in order to support ticket validation from the krb
    > > server. There is an interesting description (albeit slightly dated) of
    > > how the system works at:
    > >
    > > http://web.mit.edu/kerberos/www/dialogue.html
    >
    > Yes, I found that after I posted to the list. Very informative.
    >
    > I understand what you're saying when you say that all applications need
    > to be kerberized in order to work, but isn't that true of any auth
    > mechanism?
    >
    > Perhaps kerberization just isn't very widespread as something like LDAP?

    My current preference in new installs is to use Kerberos5 for
    authentication and LDAP for account information. If you're willing to
    throw SSL into the mix, a lack of "kerberization" isn't such a problem --
    you basically end up using Kerberos5 as a distributed password mechanism
    for non-Kerberized clients. I.e., using IMAP over SSL, SMTP over SSL,
    etc.

    Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
    robert@fledge.watson.org Network Associates Laboratories

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Jesse Guardiani: "Re: unified authentication"