Network nirvana [Re: Since Fedora is not aimed at enterpise/business ..]
Chris Ricker
kaboom at gatech.edu
Wed Oct 1 23:47:05 UTC 2003
On Wed, 1 Oct 2003, Owen Taylor wrote:
> But my contention would be that there are only a few basic
> important concepts to understand how Kerberos works; that
> knowing those concepts is sufficient for configuration of
> a small isolated network; that much of the learning barrier
> comes from handling of multiple realms, krb4 compatibility,
> and all sorts of other advanced irrelevant details; more
> of the learning barrier is obscure configuration files,
> obscure command line utilities, and poor defaults.
Well, the problem here is that with Kerberos the complexity isn't in things
like the configuration files or the commands -- it's the whole
authentication process of principals getting ticket-granting tickets which
allow them to get service tickets which they then present to the service to
be authenticated and authorized to use it. To administer it, you have to
understand the whole flow of all that at a conceptual level.
If you look at, say, /etc/krb5.conf you'll find that the syntax is
reasonably sane and that there's very little you normally change, barring
rare complexities like setting up direct (non-hierarchical) cross-realm
authentication. Even things as simple as authconfig mostly configure that
right already. Similarly, the commands you use to generate principals and
such aren't difficult. At least IMHO, it's the logic of "when do I need this
command" that's the complex part, and that goes back to understanding the
system, which goes back to docs.
You'll see that if you look at the existing Kerberos GUIs, or at least the
two I've used. Sun has gkadmin (usual Solaris Java applet mess) and MS has a
whole slew of stuff for AD, and neither are really usable unless you know
how the process works....
There are a few defaults in Red Hat which could be tuned better -- for
example, last I looked, Red Hat randomly used a different default encryption
for tickets than any other MIT-derived Kerberos, which makes things "fun" if
you have, say, Solaris and Red Hat around. Good luck designing a GUI which
can walk admins through diagnosing that ;-)
later,
chris
More information about the fedora-devel-list
mailing list