systematic Kerberization

Felipe Alfaro Solana felipe_alfaro at linuxmail.org
Tue May 11 07:22:22 UTC 2004


On Mon, 2004-05-10 at 23:13, Havoc Pennington wrote:
> Hi,
> 
> Something we've wanted to do for a long time is create a matrix of
> programs that should support Kerberos authentication, and start checking
> them off. I guess this includes both client-side and server-side.
> 
> Does anyone have a good start on this?
> 
> Any real-world experience/scenarios where Kerberos support was needed
> and not available? (Which things should be Kerberized first?)

My home network is completely Kerberized, and runs ontop of IPv6 +
IPSec... A lot of programs do already suppport Kerberos but, of course,
there are still programs that don't support some of these technologies. 

For example:

* cyrus-imapd supports Kerberos, since it uses cyrus-sasl, but does not
still support IPv6.
* evolution does support Kerberos and IPv6.
* OpenLDAP supports Kerberos and IPv6.
* OpenSSH does support Kerberos and IPv6.
* AFAICT, Apache does not still supoort Kerberos, but does support IPv6.
This would be interesting.
* AFAICT, Squid does not still support Kerberos.
* IIRC, ncftp and lftp don't support Kerberos, but do support IPv6
* The ftp command line tool that comes with krb5-workstation does
support Kerberos, but not IPv6.
* The telnet commnand line tool that comes with krb5-workstation does
support Kerberos plus IPv6, with encrypted sessions.
* IIRC, cups has some patches to add Kerberos support, but I think they
are not included upstream.

These are mainly the programs I use daily on my home network.

I think Apache and Squid should be immediately Kerberized, as well as
cups. They are basic infrastructure software.





More information about the fedora-devel-list mailing list