Kerberos Authentication and NetInfo

Luke Howard lukeh at PADL.COM
Fri Apr 5 23:44:01 EST 2002

>I'm at the MIT Helpdesk trying to set up a Mac OS X lab.  I've been 
>trying to figure out some way to secure the Client-Server NetInfo 
>directory login (so that passwords aren't passed in the clear).  I've 
>read that there's a way to use Kerberos on LDAP directories (namely 
>Active Directory) but nothing on authenticating the communications 
>between client-server using NeXT and Apple's NetInfo directories.

I'm presuming you're talking about authentication within the NetInfo
RPC protocol. (If you're talking about logon authentication, you should
be using PAM and/or the Kerberos loginwindow authenticator.)

We implemented this back in 1997, using AUTH_GSSAPI in MIT Kerberos
for Xedoc's "Trusted NetInfo" product, which was never released.

However, Xedoc were generous enough to open source these enhancements,
and they are sitting in a branch in the Darwin tree. I updated the
code to use the University of Michigan's RPCSEC_GSS implementation.


Our resources for contributing to open source are finite, and I have
not had the time to finish integration and testing. We would be
willing to do this if either MIT or Apple could make a compelling
business case for doing so.

-- Luke

Luke Howard |
PADL Software |

More information about the krbdev mailing list