systematic Kerberization

Chris Ricker kaboom at gatech.edu
Tue May 11 03:08:31 UTC 2004


On Mon, 10 May 2004, Havoc Pennington wrote:

> Hi,
> 
> Something we've wanted to do for a long time is create a matrix of
> programs that should support Kerberos authentication, and start checking
> them off. I guess this includes both client-side and server-side.
> 
> Does anyone have a good start on this?
> 
> Any real-world experience/scenarios where Kerberos support was needed
> and not available? (Which things should be Kerberized first?)

RH actually used to support krb a bit better than it does now ;-(

At any rate, apps which need kerberization:

ssh -- can't remember off-hand if RH RPMs are patched now or not?
cups -- lprng did support, cups doesn't yet
dovecot -- uw-imap did support, dovecot doesn't yet
MUA -- no idea, as I don't use any of the ones RH ships
Mozilla -- efforts appear underway here
amanda -- not sure if upstream supports krb5 or just krb4 right now, but 
kerberized backups are a requirement here

For me, though, the biggest problem is the generic pam / glibc / moon phase
/ whatever interaction where RH and Fedora systems blow up badly, failing to
degrade back to existing local accounts, if a distributed information /
authentication (LDAP, krb, NIS) is down.... Any enterprise that's going
Kerberos, IMHO, can mostly work around the rest simply by pushing out more
functional software than what RH ships, but that one can be kinda a pain to
work around....

later,
chris





More information about the fedora-devel-list mailing list