Kerberos Authentication and NetInfo
Luke Howard
lukeh at PADL.COM
Fri Apr 5 23:44:01 EST 2002
>I'm at the MIT Helpdesk trying to set up a Mac OS X lab. I've been
>trying to figure out some way to secure the Client-Server NetInfo
>directory login (so that passwords aren't passed in the clear). I've
>read that there's a way to use Kerberos on LDAP directories (namely
>Active Directory) but nothing on authenticating the communications
>between client-server using NeXT and Apple's NetInfo directories.
I'm presuming you're talking about authentication within the NetInfo
RPC protocol. (If you're talking about logon authentication, you should
be using PAM and/or the Kerberos loginwindow authenticator.)
We implemented this back in 1997, using AUTH_GSSAPI in MIT Kerberos
for Xedoc's "Trusted NetInfo" product, which was never released.
However, Xedoc were generous enough to open source these enhancements,
and they are sitting in a branch in the Darwin tree. I updated the
code to use the University of Michigan's RPCSEC_GSS implementation.
See:
http://www.opensource.apple.com/cgi-bin/registered/cvs/netinfo/servers/netinfod/?only_with_tag=lukeh-RPCSEC_GSS
http://www.opensource.apple.com/cgi-bin/registered/cvs/Libinfo/netinfo.subproj/?only_with_tag=lukeh-RPCSEC_GSS
Our resources for contributing to open source are finite, and I have
not had the time to finish integration and testing. We would be
willing to do this if either MIT or Apple could make a compelling
business case for doing so.
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
More information about the krbdev
mailing list