Date: Wed, 24 Sep 2003 16:13:30 -0400 (EDT) From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> To: Jesse Guardiani <jesse@wingnet.net> Cc: freebsd-security@freebsd.org Subject: Re: unified authentication Message-ID: <200309242013.h8OKDU8U067906@khavrinen.lcs.mit.edu> In-Reply-To: <200309241555.30825.jesse@wingnet.net> References: <bks9kq$46u$1@sea.gmane.org> <20030924122724.V31322@localhost> <200309241555.30825.jesse@wingnet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Wed, 24 Sep 2003 15:55:30 -0400, Jesse Guardiani <jesse@wingnet.net> said: > Will any of the above do ALL of the following? > (The below is a prioritized list of the things > I'd like to see in an authentication system:) Kerberos: > 1.) Authenticate for ssh Yes (with openssh-gssapi). We use this all the time. > 2.) Authenticate for Cisco equipment For certain values of ``authenticate'', ``Cisco'', ``equipment'', and ``Kerberos''. > 3.) Authenticate for Apache htaccess files I strongly advise against using Kerberos for this. We use mod_auth_kerb on exactly one machine: the one that runs the certificate authority. > 4.) Allow some way to easily set root passwords and su The Kerberized `su' utility allows individual root instances for every user. (And any other kind of instance you like; it's almost free-form text.) > 5.) Do the above from a centralized location That's what Kerberos is about: trusted-third-party authentication based on a modified Needham & Schroeder protocol. > 6.) Do so with reasonable security/encryption The Kerberos v4 protocol is cryptographically weak and should not be used in new installations. The Kerberos v5 protocol is currently considered cryptographically sound, provided that keys of appropriate strength are used. It is possible to configure a Kerberos v5 to use 56-bit DES keys for symmetric crypto and an insecure checksum method as pseudo-MAC. Don't do that. (This is one of the key problems with Cisco and Windows interoperability.) > 7.) Authenticate for Windows boxes How well this works and in which directions depends on how your Windows infrastructure is set up. It is relatively trivial to set up Windows (>= 2000) systems to use Kerberos for login authentication in conjunction with standalone (non-domain/AD) local accounts. It requires a significant amount of effort to integrate other sorts of Windows configurations, but can be done and is documented by Microsoft and others. -GAWollman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200309242013.h8OKDU8U067906>