unified authentication
Robert Watson
rwatson at freebsd.org
Wed Sep 24 13:00:07 PDT 2003
On Wed, 24 Sep 2003, Jesse Guardiani wrote:
> On Wednesday 24 September 2003 12:54, Matthew George wrote:
> > On Wed, 24 Sep 2003, Jesse Guardiani wrote:
> > > 1.) Kerberos
> >
> > krb is nice, but the problem with it is that all of your applications need
> > to be kerberized in order to support ticket validation from the krb
> > server. There is an interesting description (albeit slightly dated) of
> > how the system works at:
> >
> > http://web.mit.edu/kerberos/www/dialogue.html
>
> Yes, I found that after I posted to the list. Very informative.
>
> I understand what you're saying when you say that all applications need
> to be kerberized in order to work, but isn't that true of any auth
> mechanism?
>
> Perhaps kerberization just isn't very widespread as something like LDAP?
My current preference in new installs is to use Kerberos5 for
authentication and LDAP for account information. If you're willing to
throw SSL into the mix, a lack of "kerberization" isn't such a problem --
you basically end up using Kerberos5 as a distributed password mechanism
for non-Kerberized clients. I.e., using IMAP over SSL, SMTP over SSL,
etc.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Network Associates Laboratories
More information about the freebsd-security
mailing list