From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 13:14:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1FFC316A4B3 for ; Wed, 24 Sep 2003 13:14:13 -0700 (PDT) Received: from main.gmane.org (main.gmane.org [80.91.224.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B84544005 for ; Wed, 24 Sep 2003 13:14:10 -0700 (PDT) (envelope-from freebsd-security@m.gmane.org) Received: from list by main.gmane.org with local (Exim 3.35 #1 (Debian)) id 1A2G14-0001C0-00 for ; Wed, 24 Sep 2003 22:13:38 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org Received: from sea.gmane.org ([80.91.224.252]) by main.gmane.org with esmtp (Exim 3.35 #1 (Debian)) id 1A2G12-0001Bs-00 for ; Wed, 24 Sep 2003 22:13:36 +0200 Received: from news by sea.gmane.org with local (Exim 3.35 #1 (Debian)) id 1A2G1X-0003dL-00 for ; Wed, 24 Sep 2003 22:14:07 +0200 From: Jesse Guardiani Date: Wed, 24 Sep 2003 16:14:04 -0400 Organization: WingNET Lines: 47 Message-ID: References: <200309241555.30825.jesse@wingnet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@sea.gmane.org User-Agent: KNode/0.7.2 X-Mail-Copies-To: never Sender: news Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jesse@wingnet.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 20:14:13 -0000 Robert Watson wrote: > > On Wed, 24 Sep 2003, Jesse Guardiani wrote: > >> On Wednesday 24 September 2003 12:54, Matthew George wrote: >> > On Wed, 24 Sep 2003, Jesse Guardiani wrote: >> > > 1.) Kerberos >> > >> > krb is nice, but the problem with it is that all of your applications >> > need to be kerberized in order to support ticket validation from the >> > krb >> > server. There is an interesting description (albeit slightly dated) of >> > how the system works at: >> > >> > http://web.mit.edu/kerberos/www/dialogue.html >> >> Yes, I found that after I posted to the list. Very informative. >> >> I understand what you're saying when you say that all applications need >> to be kerberized in order to work, but isn't that true of any auth >> mechanism? >> >> Perhaps kerberization just isn't very widespread as something like LDAP? > > My current preference in new installs is to use Kerberos5 for > authentication and LDAP for account information. If you're willing to > throw SSL into the mix, a lack of "kerberization" isn't such a problem -- > you basically end up using Kerberos5 as a distributed password mechanism > for non-Kerberized clients. I.e., using IMAP over SSL, SMTP over SSL, > etc. And that's more or less what I was thinking of doing here, except it wouldn't be IMAP and SMTP (because that is already handled by my mail server's MySQL database), but Kerberos as a distributed password mechanism for SSH, Apache .htaccess, Cisco routers, etc... Does that work well with FreeBSD 4.8? Or would I need to use 5.x to deploy Kerberos5 in that manner? -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net