From owner-freebsd-security@FreeBSD.ORG  Thu Sep 25 08:55:17 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C7A9916A4B3
	for <freebsd-security@freebsd.org>;
	Thu, 25 Sep 2003 08:55:17 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D88CD43FF9
	for <freebsd-security@freebsd.org>;
	Thu, 25 Sep 2003 08:55:16 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h8PFsugL050585;
	Thu, 25 Sep 2003 11:54:56 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)h8PFsuHb050582;
	Thu, 25 Sep 2003 11:54:56 -0400 (EDT)
Date: Thu, 25 Sep 2003 11:54:55 -0400 (EDT)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: Jesse Guardiani <jesse@wingnet.net>
In-Reply-To: <bkstue$dkf$1@sea.gmane.org>
Message-ID: <Pine.NEB.3.96L.1030925115333.50146C-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-security@freebsd.org
Subject: Re: unified authentication
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Sep 2003 15:55:17 -0000


On Wed, 24 Sep 2003, Jesse Guardiani wrote:

> > My current preference in new installs is to use Kerberos5 for
> > authentication and LDAP for account information.  If you're willing to
> > throw SSL into the mix, a lack of "kerberization" isn't such a problem --
> > you basically end up using Kerberos5 as a distributed password mechanism
> > for non-Kerberized clients.  I.e., using IMAP over SSL, SMTP over SSL,
> > etc.
> 
> And that's more or less what I was thinking of doing here, except it
> wouldn't be IMAP and SMTP (because that is already handled by my mail
> server's MySQL database), but Kerberos as a distributed password
> mechanism for SSH, Apache .htaccess, Cisco routers, etc... 
> 
> Does that work well with FreeBSD 4.8? Or would I need to use 5.x to
> deploy Kerberos5 in that manner? 

Kerberos5 should work fine; direct support for LDAP is a problem for 4.x
due to a lack of complete NSS support--to do this directly, you'd need to
run 5.x.  My understanding is that some sites dump their LDAP databases to
NIS databases and share them on the FreeBSD side using NIS, which is also
a reasonable (if less secure) solution.  If you just want to use Kerberos5
for password sharing, 4.x should be no problem at all.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories