Date: Wed, 24 Sep 2003 16:31:27 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: freebsd-security@freebsd.org Subject: Re: unified authentication Message-ID: <20030924163127.A18252@seekingfire.com> In-Reply-To: <bkt258$af4$1@sea.gmane.org>; from jesse@wingnet.net on Wed, Sep 24, 2003 at 05:25:59PM -0400 References: <bks9kq$46u$1@sea.gmane.org> <20030924122724.V31322@localhost> <200309241555.30825.jesse@wingnet.net> <20030924145029.V18252@seekingfire.com> <bkt258$af4$1@sea.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 24, 2003 at 05:25:59PM -0400, Jesse Guardiani wrote:
> Tillman Hodgson wrote:
> > NIS (for authorization info) with Kerberos 5 (for authentication)
>
> What's the difference between authorization and authentication?
> I thought Kerberos handled authorization by itself
Kerberos handles authentication ("Prove that you are who you say you
are"). It does not handle authorization ("What are you allowed to do")
or auditing ("what have you done").
Authorization is also concerned with meta-data, like a user's home
directory, preferred shell, etc.
/etc/passwd, NIS, LDAP, and others are typically used for authorization.
For example, sshd won't let you log in unless you have a valid entry in
/etc/passwd (or whatever scheme you're using). As an example of "other",
ftpd checks /etc/ftpusers to see who is not allowed to log in. Having a
valid Kerberos ticket doesn't circumvent these authorization
mechanisms.
As far as auditing go, most daemons write a log of who did what. Just be
aware that Kerberos doesn't magically centralize this into a master
audit log.
> > provides decent cryptography and wide platform support. Cisco supports
> > Kerberos.
>
> Although not very solidly according to other posts on this topic.
I missed the beginning of the thread so I can't speak to that.
> >> Once I get authentication working, how do I handle
> >> the creation of home directories and basic user
> >> files across multiple machines?
> >>
> >> Do I need to start running NFS, or is there a more
> >> elegant solution?
> >
> > OpenAFS, very elegant solution.
>
> Could you explain why OpenAFS is a more elegant solution than
> NFS?
See the thread in teh archvies entitled "AFS Server and Client" from May
6-8 of this year on freebsd-questions@.
-T
--
Belief gets in the way of learning.
- Robert Heinlein
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030924163127.A18252>