systematic Kerberization

Jeremy Katz katzj at redhat.com
Tue May 11 04:37:21 UTC 2004 

I'll reply... and since it's the -devel-list, I'll give pointers for
people looking for a project to work on :-)

On Mon, 2004-05-10 at 23:08 -0400, Chris Ricker wrote:
> ssh -- can't remember off-hand if RH RPMs are patched now or not?

Not at present, but with upstream traction on including this (or
starting to), this should be an easy one.  The thing that always bit me
with using this was questions about how ticket forwarding should work,
etc -- those may be resolved now since it's been about two years since I
seriously played with it.  Reports from people brave enough to try to
get the patches we include working with the current upstream version of
openssh and seeing how this works would probably be helpful.

> cups -- lprng did support, cups doesn't yet

There's some work upstream going on for this, see elsewhere in the
thread.  I also think I've seen links to even more positive information,
but I don't have a link off-hand.  

> dovecot -- uw-imap did support, dovecot doesn't yet

I started looking at this at one point, it seemed pretty straight
forward, it just requires the developer round 'tuits.  There are two
different approaches that can be taken here, one would be adding it
directly and the other would be improving the cyrus-sasl support and
then using cyrus-sasl-gssapi.  Upstream is definitely willing to accept
work in this area.

> MUA -- no idea, as I don't use any of the ones RH ships

evolution supports IMAP, SMTP and LDAP with gssapi auth.  So in theory,
this should be good.  Some of the new calendaring stuff may not yet, but
I haven't looked at that very closely.

> Mozilla -- efforts appear underway here

Yep, progress is being made.

> For me, though, the biggest problem is the generic pam / glibc / moon phase
> / whatever interaction where RH and Fedora systems blow up badly, failing to
> degrade back to existing local accounts, if a distributed information /
> authentication (LDAP, krb, NIS) is down.... Any enterprise that's going
> Kerberos, IMHO, can mostly work around the rest simply by pushing out more
> functional software than what RH ships, but that one can be kinda a pain to
> work around....

Yeah, I'm not quite sure what's going on here.  At the same time, it's
definitely not an unsolvable problem.  And since this is Havoc's
wishlist thread, we should make sure that fixing this ends up in
there ;)

Jeremy

More information about the fedora-devel-list mailing list