kerberos and smartphone clients
Nikolay Shopik
shopik at inblock.ru
Tue Feb 9 02:24:41 EST 2010
On 09.02.2010 0:46, Luke Scharf wrote:
> Nikolay Shopik wrote:
>> Hello everyone,
>>
>> I'm in middle of process making my mail server Kerberized. Currently
>> my infrastructure is only password based, but I plan move to PKINIT
>> thus using certificate based authentication. Afterward I though about
>> my smartphone clients who use email on their phones this is
>> exclusively iPhone users.
>> So this makes me think I should leave regular password based
>> authentication for these mobile clients, which isn't great because you
>> have to manage two separate db for logins/passwords. In same time I
>> though every mobile phone have smart card already which is SIM card,
>> there even EAP-SIM allowing use it to authenticate to wireless
>> networks. So what best way to accomplish this task, without making
>> huge pain when managing logins/passwords?
>
> You can have PAM check the password that they enter against the Kerberos
> database. That way, they can either enter the Kerberos password -- or,
> if they have a Kerberos ticket, they will be authenticated
> automatically. This is how my mailserver at home is configured.
>
> In some cases, you might need to configure your mailserver use SASL
> instead of PAM to check the entered-password against the Kerberos
> password-database. If you have your mailserver configured such that the
> users don't show up in "getent passwd", then you'll probably need SASL.
> But if they do show up as Unix users, PAM can easily work as the backend.
> -Luke
>
You mean PAM on client? This won't work for me most clients running
Windows and few Mac OS X. And I use virtual users so they don't show up
in getent passwd.
So for now I have only one option run plain text password db along with
Kerberos for users who wish login into mail server using their smartphone.
More information about the Kerberos
mailing list