Kerberos and integrated login

Kenneth Stephen y2kmvs at ebiz.austin.ibm.com
Thu Jan 16 01:59:44 EST 2003


On Thu, 16 Jan 2003, Luke Howard wrote:

>
> It's important to understand that a user's numeric user and group
> IDs, along with their home directory, shell, etc, are all required
> at Unix logon time, and these have to come from somewhere. Without
> getting into a religious argument, storing this information along
> with a user's key in a single repository offers some administrative
> reward at the expense of increasing exposure should the directory
> be compromised.
>
Luke,

	Thanks for the reply. The point you mention above though is
not a very good one - by choosing Kerberos itself, one is exposing oneself
to a single point of security failure - the KDC. So if one has already
accepted that risk, then the directory is not an increased exposure -
particularly if one goes the DCE integrated login server route where there
is no centralized single point of failure (unlike LDAP).

Regards,
Kenneth




More information about the Kerberos mailing list