Date: Thu, 25 Sep 2003 11:54:55 -0400 (EDT) From: Robert Watson <rwatson@freebsd.org> To: Jesse Guardiani <jesse@wingnet.net> Cc: freebsd-security@freebsd.org Subject: Re: unified authentication Message-ID: <Pine.NEB.3.96L.1030925115333.50146C-100000@fledge.watson.org> In-Reply-To: <bkstue$dkf$1@sea.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 24 Sep 2003, Jesse Guardiani wrote: > > My current preference in new installs is to use Kerberos5 for > > authentication and LDAP for account information. If you're willing to > > throw SSL into the mix, a lack of "kerberization" isn't such a problem -- > > you basically end up using Kerberos5 as a distributed password mechanism > > for non-Kerberized clients. I.e., using IMAP over SSL, SMTP over SSL, > > etc. > > And that's more or less what I was thinking of doing here, except it > wouldn't be IMAP and SMTP (because that is already handled by my mail > server's MySQL database), but Kerberos as a distributed password > mechanism for SSH, Apache .htaccess, Cisco routers, etc... > > Does that work well with FreeBSD 4.8? Or would I need to use 5.x to > deploy Kerberos5 in that manner? Kerberos5 should work fine; direct support for LDAP is a problem for 4.x due to a lack of complete NSS support--to do this directly, you'd need to run 5.x. My understanding is that some sites dump their LDAP databases to NIS databases and share them on the FreeBSD side using NIS, which is also a reasonable (if less secure) solution. If you just want to use Kerberos5 for password sharing, 4.x should be no problem at all. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1030925115333.50146C-100000>