Network nirvana [Re: Since Fedora is not aimed at enterpise/business ..]
Owen Taylor
otaylor at redhat.com
Wed Oct 1 22:04:48 UTC 2003
On Wed, 2003-10-01 at 17:13, Chris Ricker wrote:
> On Wed, 1 Oct 2003, Owen Taylor wrote:
>
> > That may be the case currently, but why does it have to be that
> > way? What we are talking about is fundamentally pretty simple:
> >
> > - Central user database
> > - Single sign-on passwords
> > - Secure network exported home dirs
>
> There's your problem. Secure distributed single sign-on protocols (like
> krb5) are NOT simple. Sure, more documentation is needed (there's only one
> in-print Kerberos book, and it doesn't really say a whole lot, for example)
> but documentation only gets you so far.... krb is inherently more involved
> to set up or trouble-shoot than, say, NIS, and that's not really changeable
> given krb's architecture (and any replacement protocol will likely have to
> be just as complex, given everything a secure distributed authentication
> protocol has to protect against).
The fact that there is underlying complexity is not, in itself,
a problem. Thinking about the desktop, to put up a button
that says "Hello World" involves great underlying complexity
in font selection, theme engines, X window system extensions,
and all that.
But all the developer writes is:
gtk_button_new_with_label ("Hello World");
And all the user has to do is click on the button.
If Kerberos is seemlessly integrated into the system, the concepts
that a user should need to know are pretty small. Maybe they
know that they have something called a "ticket" that expires
after some time. But maybe they just know that if they work
for 12 hours straight they'll get prompted again for their password
at some point.
And I don't see why the concepts that an admin needs to know
are that much more complicated:
- You configure one server as your "authentication server"
- There is a nice GUI tool you run on that server (or run
elsewhere and point to that server) to reset and configure
user's passwords.
- You point all the clients at the "authentication server"
- When configuring a service that people log into, there
is a process of generating a "service identity" that
requires someone with admin access on the authentication
server.
Is that a gross (and factually inaccurate, since I'm not very
familiar with Kerberos) simplication? Yes.
But my contention would be that there are only a few basic
important concepts to understand how Kerberos works; that
knowing those concepts is sufficient for configuration of
a small isolated network; that much of the learning barrier
comes from handling of multiple realms, krb4 compatibility,
and all sorts of other advanced irrelevant details; more
of the learning barrier is obscure configuration files,
obscure command line utilities, and poor defaults.
Is someone going to be able to duplicate the MIT kerberos
setup in a day/year/decade? No. But the fact that Gnumeric
is amazingly complex doesn't mean that you can't get a basic
GTK+ program going very quickly.
Regards,
Owen
More information about the fedora-devel-list
mailing list