Date: Wed, 24 Sep 2003 15:59:44 -0400 (EDT) From: Robert Watson <rwatson@freebsd.org> To: Jesse Guardiani <jesse@wingnet.net> Cc: freebsd-security@freebsd.org Subject: Re: unified authentication Message-ID: <Pine.NEB.3.96L.1030924155809.70421B-100000@fledge.watson.org> In-Reply-To: <200309241555.30825.jesse@wingnet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 24 Sep 2003, Jesse Guardiani wrote: > On Wednesday 24 September 2003 12:54, Matthew George wrote: > > On Wed, 24 Sep 2003, Jesse Guardiani wrote: > > > 1.) Kerberos > > > > krb is nice, but the problem with it is that all of your applications need > > to be kerberized in order to support ticket validation from the krb > > server. There is an interesting description (albeit slightly dated) of > > how the system works at: > > > > http://web.mit.edu/kerberos/www/dialogue.html > > Yes, I found that after I posted to the list. Very informative. > > I understand what you're saying when you say that all applications need > to be kerberized in order to work, but isn't that true of any auth > mechanism? > > Perhaps kerberization just isn't very widespread as something like LDAP? My current preference in new installs is to use Kerberos5 for authentication and LDAP for account information. If you're willing to throw SSL into the mix, a lack of "kerberization" isn't such a problem -- you basically end up using Kerberos5 as a distributed password mechanism for non-Kerberized clients. I.e., using IMAP over SSL, SMTP over SSL, etc. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1030924155809.70421B-100000>