Network nirvana [Re: Since Fedora is not aimed at enterpise/business ..]

Owen Taylor otaylor at redhat.com
Wed Oct 1 22:04:48 UTC 2003 

On Wed, 2003-10-01 at 17:13, Chris Ricker wrote:
> On Wed, 1 Oct 2003, Owen Taylor wrote:
> 
> > That may be the case currently, but why does it have to be that
> > way? What we are talking about is fundamentally pretty simple:
> > 
> >  - Central user database
> >  - Single sign-on passwords
> >  - Secure network exported home dirs 
> 
> There's your problem. Secure distributed single sign-on protocols (like
> krb5) are NOT simple. Sure, more documentation is needed (there's only one
> in-print Kerberos book, and it doesn't really say a whole lot, for example)
> but documentation only gets you so far.... krb is inherently more involved
> to set up or trouble-shoot than, say, NIS, and that's not really changeable
> given krb's architecture (and any replacement protocol will likely have to
> be just as complex, given everything a secure distributed authentication
> protocol has to protect against).

The fact that there is underlying complexity is not, in itself,
a problem. Thinking about the desktop, to put up a button
that says "Hello World" involves great underlying complexity
in font selection, theme engines, X window system extensions,
and all that.

But all the developer writes is:
 
 gtk_button_new_with_label ("Hello World");

And all the user has to do is click on the button. 

If Kerberos is seemlessly integrated into the system, the concepts
that a user should need to know are pretty small. Maybe they
know that they have something called a "ticket" that expires 
after some time. But maybe they just know that if they work
for 12 hours straight they'll get prompted again for their password
at some point.

And I don't see why the concepts that an admin needs to know
are that much more complicated:

 - You configure one server as your "authentication server"
 - There is a nice GUI tool you run on that server (or run
   elsewhere and point to that server) to reset and configure
   user's passwords.
 - You point all the clients at the "authentication server"
 - When configuring a service that people log into, there
   is a process of generating a "service identity" that 
   requires someone with admin access on the authentication 
   server.

Is that a gross (and factually inaccurate, since I'm not very
familiar with Kerberos) simplication? Yes.

But my contention would be that there are only a few basic
important concepts to understand how Kerberos works; that 
knowing those concepts is sufficient for configuration of
a small isolated network; that much of the learning barrier
comes from handling of multiple realms, krb4 compatibility,
and all sorts of other advanced irrelevant details; more
of the learning barrier is obscure configuration files,
obscure command line utilities, and poor defaults.

Is someone going to be able to duplicate the MIT kerberos 
setup in a day/year/decade? No. But the fact that Gnumeric
is amazingly complex doesn't mean that you can't get a basic
GTK+ program going very quickly.

Regards,
						Owen

More information about the fedora-devel-list mailing list