Since Fedora is not aimed at enterpise/business ..

Tue Oct 7 05:25:12 UTC 2003

> I've got networks doing single-sign on using
> ldap/pam/nss/friends, no K needed.

Uh, I'm pretty sure (LDAP + PAM + NSS) != single sign
on.  However, (Kerberos + LDAP + PAM + NSS) == single
sign on.  LDAP in no way prevents you from needing to
supply your password to the mail server or to the news
server or to the LDAP server, for that matter. 
Kerberos does.

Maybe your definition of "single sign on" is
different.  By "single sign on" I (and others, I'm
sure) don't mean "centralized password database that
all services use".  We mean "type your password only
once and never again".

> As someone mentioned, paraphrasing "setting
> up/understanding Kerberos is a nightmare".

For me, setting up Kerberos was pretty easy.  Just as
easy as was setting up Apache my first time.  I
actually had /much/ more trouble with LDAP.  If you
managed to wrap your brain around LDAP, wrapping your
brain around Kerberos is nothing.

> The tools to make this a reasonable expectation are
> simply not there.

What tools are your talking about?  Isn't a
configuration file and a daemon enough for you? 
You're the one that keeps bringing up the point about
how Fedora is a "hobbyists and enthusiasts" distro. 
Shouldn't "hobbyists and enthusiasts" be expected to
edit a config file or two?  If by "tools" you're
referring to 'kadmin', I can assure you that 'kadmin'
works, otherwise nobody would use Kerberos.

> "Are you using it?"

Yes.  At home & at work.

> "Do you know how?"

Yes.  Otherwise I wouldn't be using it.

> "Do you *need* it?"

Uhh, yes.  Very much so.  I need centralized
authentication & real security, and I strongly desire
single sign on.  LDAP may provide centralized
authentication, and, with TLS, some security; but
it'll never provide single sign on, and it'll never
prevent man-in-the-middle attacks, and it'll never
provide mutual authentication between client & server.

>> "SSH is no replacement for Kerberos"
>
> Agreed. But then again, you can reverse that
> statement with no change in truth. Kerberos is not a
> replacement for SSH either.

Almost true.  Kerberos certainly is a replacement for
SSH (well, in a manner of speaking).  Kerberized rsh,
rcp, telnet, etc. are pretty much feature equivalent
to SSH, transport layer encryption and all.  But then
again, Kerberized SSH also exists...  So...  Yeah.

Anyways, the point is, with Kerberos, you can switch
back to the tools that SSH meant to fix/replace.

> Geez, didn't know Kerberos was one of the Sacred
> Cows of RedHat err I mean Fedora.

Geez, you didn't realize that Linux users care about
security and ease-of-use.

Derek