Kerberos questions

[Marshall Vale]

At 2:26 PM -0600 7/11/03, James Reynolds wrote:
>During the recent Mac OS X Labs Webcast on security, these questions 
>came up.  I listed my answers below.  Do you mind looking them over 
>to make sure they are acurate?
>
>
>Q. Is Kerberos supported in Mac OS X client, or Server only?
>
>A. Kerberos is supported in Mac OS X client.

Client side functionality of Kerberos is available in Mac OS X 10.2 
(Jaguar) Client and Server. Mac OS X 10.2 (Jaguar) Server supports 
some specific services with Kerberized access.  A KDC is not 
available for either release.

Mac OS X Panther Server will provide an Apple KDC in addition to the 
services available in Jaguar.

>
>Q. Are there any plans to work with CUPS to incorporate kerberized 
>authentication into CUPS (the present solution involves a klpr 
>backend talking to a kerberized LPRng print server)?
>
>A. I believe Panther will have this functionality (but not sure).

Apple needs to resolve some issues with how CUPS communicates with 
services in the user's Security Session. You'll need to get someone 
from Apple to make a statement on whether they are going to address 
these issues for Panther or not.

>
>Q. It sounds like the Apple Password Server is more secure than 
>Kerberos, because the password is not passed over the network.  So 
>Kerberos is not the best choice?  Please elaborate.
>
>A. That is not correct.  Kerberos does not send the clear text 
>password over the network either.  In fact, Apple is embracing 
>Keberos in Mac OS X 10.3 by integrating it even more in the client 
>and server OS.

Looks good.

Marshall