unified authentication
Jesse Guardiani
jesse at wingnet.net
Wed Sep 24 13:14:13 PDT 2003
Robert Watson wrote:
>
> On Wed, 24 Sep 2003, Jesse Guardiani wrote:
>
>> On Wednesday 24 September 2003 12:54, Matthew George wrote:
>> > On Wed, 24 Sep 2003, Jesse Guardiani wrote:
>> > > 1.) Kerberos
>> >
>> > krb is nice, but the problem with it is that all of your applications
>> > need to be kerberized in order to support ticket validation from the
>> > krb
>> > server. There is an interesting description (albeit slightly dated) of
>> > how the system works at:
>> >
>> > http://web.mit.edu/kerberos/www/dialogue.html
>>
>> Yes, I found that after I posted to the list. Very informative.
>>
>> I understand what you're saying when you say that all applications need
>> to be kerberized in order to work, but isn't that true of any auth
>> mechanism?
>>
>> Perhaps kerberization just isn't very widespread as something like LDAP?
>
> My current preference in new installs is to use Kerberos5 for
> authentication and LDAP for account information. If you're willing to
> throw SSL into the mix, a lack of "kerberization" isn't such a problem --
> you basically end up using Kerberos5 as a distributed password mechanism
> for non-Kerberized clients. I.e., using IMAP over SSL, SMTP over SSL,
> etc.
And that's more or less what I was thinking of doing here, except it wouldn't
be IMAP and SMTP (because that is already handled by my mail server's MySQL
database), but Kerberos as a distributed password mechanism for SSH, Apache
.htaccess, Cisco routers, etc...
Does that work well with FreeBSD 4.8? Or would I need to use 5.x to deploy
Kerberos5 in that manner?
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)
http://www.wingnet.net
More information about the freebsd-security
mailing list