Kerberized authorization service
edward@murrell.co.nz
edward at murrell.co.nz
Tue Jan 29 19:31:43 EST 2008
> Hey Edward,
>> The lack of a plain English introduction/explanation to the API is
>> probably
>> why Kerberos doesn't have a heck of a lot of application support.
>> (Anyone else listening here?)
> That's an excellent point.
Love Hörnquist Åstrand pointed out the Heimdal dev docs earlier, which
appear to give a basic primer (maybe I'll have the time and motivation
over the weekend). It looks promising, and gives me a basic idea of how
the various functions and data structures fit together...
Ken Hornstein; All that info would be incredibly helpful.
On that note, there's a lot of info that piles up in the list, which isn't
very ordered. For example, I have a 'nice' perl script for pushing out kdc
updates, which is designed to works and comes with a minimal cron entry,
and works from a config file in the kdc directory. But I don't have
anywhere to put it. Has anyone considered a wiki/other for kerberos stuff?
>> I'll chew over this a bit more...
>
> Thanks. Please let us know what emerges...
*Aliens rupture out of my thorax*
I digress.
Having slept on this... In my current position, I have no chance
whatsoever of getting Kerberos on to the servers I manage. I have managed
to convince people that some form of centralized setup would be a good
idea for ensure that old accounts are added/removed as required. Since
there's already a Novell LDAP setup floating around for web auth, I've
convinced them of that. However, half the people here are convinced that
Kerberos is a Microsoft technology *big sigh* and that it's 'insecure
because it uses UDP'.
Regardless of the intelligence of that statement, I'm not going to get
Kerberos rolled out at any time in the near future, but would like to use
benefit from such a system to enforce access. With this in mind, would it
be possible to look at unhooking this system (let's call it accessd for
the moment, just so it has a name) from Kerberos, and writing a generic
protocol, so that can be wrapped in kerberos/ssl/ssh/foobar as the
user/admin requires?
-Edward
More information about the Kerberos
mailing list