Password expiration
Dr. Greg Wettstein
greg at wind.enjellic.com
Mon Mar 10 09:50:02 EST 2003
On Mar 8, 11:58am, "James F.Hranicky" wrote:
} Subject: Re: Password expiration
Good morning to everyone, I hope that this note finds your week going
well.
> Yes, much more I-dotting and T-crossing. Plus, I have little control
> over remote sites, which is really the whole point.
> In the end, without clients that make it easy, and without having
> *everything* Kerberized (meaning something still has to send the
> username/password over the network, albeit over an encrypted
> channel), I'm not going to be in a hurry to push Kerberized clients
> on my userbase. Turning off telnet 6 years ago in favor of SSH
> causes all sorts of headaches for people behind corporate firewalls,
> and I'm in no hurry to do that again unless a nice, user-friendly
> packaged solution exists, and all my remote users have to do is ask
> remote network admins to allow Kerberos through.
> However, I'm not opposed to slowly working on such solutions, in
> fact, I see it as critical for widespread Kerberos acceptance (apart
> from what's in Win2K, in which little seems to be Kerberized). It
> may amount to little more than writing some library code that can be
> dropped relatively easily into as many clients and servers as
> possible to make Kerberizing applications easy. It may amount to
> more than that, but hey, that's why we're having this conversation
> :-> I guess a good start would be anything using SASL (postfix, for
> one) because it already has code for GSSAPI auth.
> So, where do we begin? SASL? Hmmm...sylpheed, courier, and postfix
> all use or can use sasl...hmmm...
I'm actually very interested in helping getting some momentum behind a
project such as this. I've been working on middleware architecture
and infrastructure design and development for the last 5-7 years and
I'm convinved that this is an area that needs serious attention in
order for secure and manageable OSS solutions to continue, let alone,
accelerate penetration into the enterprise.
At this point its pretty clear to me that something on the order of a
significant open-source project is the only thing that is going to
make something like this happen. There are a bunch of tools and work
that need doing that I think pretty much only technical people
understand.
So if there is a group that would be interested in coordinating
efforts to develop strategies for getting all this stuff usable I
would be definitely interested in collaborating. As other people have
mentioned up to this point anyone who has had to do major deployments
of Kerberos/LDAP have ended up rolling their own custom solutions. I
would think that there is enough commonality of need to develop an
open-source suite which can attack this problem space.
I have watched with considerable interest the Liberty Alliance
project, Shibboleth and a gamut of other middleware initiatives.
Unfortunately what I see from the trenches are very few organizations
which have even the remotest hope of deploying the type of
infrastructure needed to make these types of initiatives possible.
Unfortunately all of this starts from the basics and unless there are
some pretty fundamental tools available none of this stuff is going to
get traction.
> Jim
Best wishes for a pleasant start of the week.
}-- End of excerpt from "James F.Hranicky"
As always,
Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC.
4206 N. 19th Ave. Specializing in information infra-structure
Fargo, ND 58102 development.
PH: 701-281-4950 WWW: http://www.enjellic.com
FAX: 701-281-3949 EMAIL: greg at enjellic.com
------------------------------------------------------------------------------
"Some of them are. A surprising number aren't. A personal favorite of
mine was the log from a cracker who couldn't figure out how to untar
and install the trojan package he'd ftped onto the machine. He tried a
few times, and then eventually gave up and logged out."
-- Nat Lanza
More information about the Kerberos
mailing list