Re: systematic Kerberization

[Stephen Smoogen <smoogen lanl gov>]

On Mon, 10 May 2004, Chris Ricker wrote:

>On Mon, 10 May 2004, Havoc Pennington wrote:
>
>> Hi,
>> 
>> Something we've wanted to do for a long time is create a matrix of
>> programs that should support Kerberos authentication, and start checking
>> them off. I guess this includes both client-side and server-side.
>> 
>> Does anyone have a good start on this?
>> 
>> Any real-world experience/scenarios where Kerberos support was needed
>> and not available? (Which things should be Kerberized first?)
>
>RH actually used to support krb a bit better than it does now ;-(
>
>At any rate, apps which need kerberization:
>
>ssh -- can't remember off-hand if RH RPMs are patched now or not?
>cups -- lprng did support, cups doesn't yet
>dovecot -- uw-imap did support, dovecot doesn't yet

 cyrus-imap does support it. We have had good success integrating it 
with squirrelmail also.

>MUA -- no idea, as I don't use any of the ones RH ships
>Mozilla -- efforts appear underway here
>amanda -- not sure if upstream supports krb5 or just krb4 right now, but 
>kerberized backups are a requirement here
>
>For me, though, the biggest problem is the generic pam / glibc / moon phase
>/ whatever interaction where RH and Fedora systems blow up badly, failing to
>degrade back to existing local accounts, if a distributed information /
>authentication (LDAP, krb, NIS) is down.... Any enterprise that's going
>Kerberos, IMHO, can mostly work around the rest simply by pushing out more
>functional software than what RH ships, but that one can be kinda a pain to
>work around....

Yes. right now that is the biggest complaint with the RHEL-3/Fedora 
laptops is that they are useless if taken offline without a manual 
change of turning off LDAP+etc. 


-- 
Stephen John Smoogen		smoogen lanl gov
Los Alamos National Lab  CCN-5 Sched 5/40  PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S  Los Alamos, NM 87545
-- You should consider any operational computer to be a security problem --