Re: unified authentication

From: Robert Watson (
Date: 09/25/03

  • Next message: Robert Watson: "Re: unified authentication"
    Date: Thu, 25 Sep 2003 11:54:55 -0400 (EDT)
    To: Jesse Guardiani <>

    On Wed, 24 Sep 2003, Jesse Guardiani wrote:

    > > My current preference in new installs is to use Kerberos5 for
    > > authentication and LDAP for account information. If you're willing to
    > > throw SSL into the mix, a lack of "kerberization" isn't such a problem --
    > > you basically end up using Kerberos5 as a distributed password mechanism
    > > for non-Kerberized clients. I.e., using IMAP over SSL, SMTP over SSL,
    > > etc.
    > And that's more or less what I was thinking of doing here, except it
    > wouldn't be IMAP and SMTP (because that is already handled by my mail
    > server's MySQL database), but Kerberos as a distributed password
    > mechanism for SSH, Apache .htaccess, Cisco routers, etc...
    > Does that work well with FreeBSD 4.8? Or would I need to use 5.x to
    > deploy Kerberos5 in that manner?

    Kerberos5 should work fine; direct support for LDAP is a problem for 4.x
    due to a lack of complete NSS support--to do this directly, you'd need to
    run 5.x. My understanding is that some sites dump their LDAP databases to
    NIS databases and share them on the FreeBSD side using NIS, which is also
    a reasonable (if less secure) solution. If you just want to use Kerberos5
    for password sharing, 4.x should be no problem at all.

    Robert N M Watson FreeBSD Core Team, TrustedBSD Projects Network Associates Laboratories

    _______________________________________________ mailing list
    To unsubscribe, send any mail to ""

  • Next message: Robert Watson: "Re: unified authentication"