systematic Kerberization
Stephen Smoogen
smoogen at lanl.gov
Tue May 11 03:21:37 UTC 2004
On Mon, 10 May 2004, Chris Ricker wrote:
>On Mon, 10 May 2004, Havoc Pennington wrote:
>
>> Hi,
>>
>> Something we've wanted to do for a long time is create a matrix of
>> programs that should support Kerberos authentication, and start checking
>> them off. I guess this includes both client-side and server-side.
>>
>> Does anyone have a good start on this?
>>
>> Any real-world experience/scenarios where Kerberos support was needed
>> and not available? (Which things should be Kerberized first?)
>
>RH actually used to support krb a bit better than it does now ;-(
>
>At any rate, apps which need kerberization:
>
>ssh -- can't remember off-hand if RH RPMs are patched now or not?
>cups -- lprng did support, cups doesn't yet
>dovecot -- uw-imap did support, dovecot doesn't yet
cyrus-imap does support it. We have had good success integrating it
with squirrelmail also.
>MUA -- no idea, as I don't use any of the ones RH ships
>Mozilla -- efforts appear underway here
>amanda -- not sure if upstream supports krb5 or just krb4 right now, but
>kerberized backups are a requirement here
>
>For me, though, the biggest problem is the generic pam / glibc / moon phase
>/ whatever interaction where RH and Fedora systems blow up badly, failing to
>degrade back to existing local accounts, if a distributed information /
>authentication (LDAP, krb, NIS) is down.... Any enterprise that's going
>Kerberos, IMHO, can mostly work around the rest simply by pushing out more
>functional software than what RH ships, but that one can be kinda a pain to
>work around....
Yes. right now that is the biggest complaint with the RHEL-3/Fedora
laptops is that they are useless if taken offline without a manual
change of turning off LDAP+etc.
--
Stephen John Smoogen smoogen at lanl.gov
Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545
-- You should consider any operational computer to be a security problem --
More information about the fedora-devel-list
mailing list