From owner-freebsd-arch Fri Feb 16 12:43:14 2001 Delivered-To: freebsd-arch@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 0AA3F37B4EC for ; Fri, 16 Feb 2001 12:43:11 -0800 (PST) Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102]) by gw.nectar.com (Postfix) with ESMTP id 16DC119380; Fri, 16 Feb 2001 14:43:10 -0600 (CST) Received: (from nectar@localhost) by hamlet.nectar.com (8.11.2/8.9.3) id f1GKhAX91185; Fri, 16 Feb 2001 14:43:10 -0600 (CST) (envelope-from nectar@spawn.nectar.com) Date: Fri, 16 Feb 2001 14:43:09 -0600 From: "Jacques A. Vidrine" To: Terry Lambert Cc: arch@FreeBSD.ORG Subject: Re: List of things to move from main tree to ports (was Re: Wish List (was: Re: The /usr/bin/games bikeshed again)) Message-ID: <20010216144309.D91104@hamlet.nectar.com> References: <200102162018.NAA07491@usr05.primenet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200102162018.NAA07491@usr05.primenet.com>; from tlambert@primenet.com on Fri, Feb 16, 2001 at 08:18:09PM +0000 X-Url: http://www.nectar.com/ Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Feb 16, 2001 at 08:18:09PM +0000, Terry Lambert wrote: > > The problem with Kerberos is that it requires substantial integration into > > base system code that is very security-sensitive. If you move KerberosIV > > to a port without some form of integrating it into the base system while > > using base system {telnetd,ftpd,...} then people who do run Kerberos will > > suffer a great deal. > > In theory, PAM is supposed to permit programs to deal with this; > many people don't use other than the authentication portion of > PAM, but it seems that the API is there. No, this is really only for interactive authentication. One must be able to get a password to a PAM-using process, and of course you don't normally want to do this over the network. > It would be worthwhile to abstract this code to the point that > you could plug in Kerberos (or Heimdal), or something else, into > the programs that currently have non-modular Kerberos specific > code. Well, there is already GSSAPI and SASL. In fact, the telnetd and ftpd in src/crypto/heimdal use GSSAPI. Now that we have a GSSAPI implementation in the base system (Heimdal), we can work on bringing telnetd/ftpd/et al up to speed. Unfortunately, sshd uses its own security negotiation protocol which is incompatible with GSSAPI. Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message