From owner-freebsd-security  Thu Dec  3 12:30:31 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id MAA17699
          for freebsd-security-outgoing; Thu, 3 Dec 1998 12:30:31 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA17683
          for <security@FreeBSD.ORG>; Thu, 3 Dec 1998 12:30:28 -0800 (PST)
          (envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id PAA13950;
	Thu, 3 Dec 1998 15:29:12 -0500 (EST)
Date: Thu, 3 Dec 1998 15:29:12 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Lyndon Nerenberg <lyndon@execmail.com>
cc: woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG
Subject: Re: mail.local
In-Reply-To: <199812031844.LAA14212@rembrandt.esys.ca>
Message-ID: <Pine.BSF.3.96.981203152638.13933A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 3 Dec 1998, Lyndon Nerenberg wrote:

> Not that I'm a big fan of pre-authentication. You still have to support
> communication with remote servers no matter what, so you have to have
> the code to handle AUTHENTICATE. If you want cached credentials, use
> Kerberos. (This is how we run our email in-house.) And you're now
> saying "but Kerberos is a pain to administer." As it's deployed, I
> agree. That argument vanishes if someone writes a user-friendly
> administration front-end to Kerberos to hand-hold a site through the
> intial setup of the Kerberos environment. Make that part easy, and lots
> of people will start using it. (And the recent PAM work will make the
> use of Kerberos much more attractive.)

Kerberos is easy -- it's finding clients that support KerberosIV under
UNIX that's hard.  That is, I have yet to find a copy of the Pine 3.9x
Kerberos IV patches that compile cleanly under FreeBSD, and I don't have
time to write them myself.  What I should really do is upgrade to K5
(which has native support under more recent versions of Pine), but I don't
believe that the CMU Cyrus server supports K5, only K4.  I would have
migrated all of the users of my system to the cyrus server long ago if
pine 3.9x didn't keep asking for passwords and sending them in the clear
text to my cyrus server. :)

  Robert N Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: 03 01 DD 8E 15 67 48 73  25 6D 10 FC EC 68 C1 1C

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
SafePort Network Services             http://www.safeport.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message