RX Kerberos 5 security class requirements of Kerberos library
Nicolas Williams
Nicolas.Williams at sun.com
Wed Jan 3 12:23:30 EST 2007
On Wed, Jan 03, 2007 at 12:00:53PM -0500, Jeffrey Altman wrote:
> Nicolas Williams wrote:
> > Well, no, I'm saying that for localauth AFS should use OS facilities,
> > not Kerberos or any other security mechanism. And I'm saying that a
> > Kerberos-based PSK mechanism should be more general if there will be one
> > at all.
> >
> >> We can enforce the localauth case by how the client keytab is used.
> >
> > ?
> >
> The API will check that there exists a client keytab entry for the
> specified client principal.
But the API can't check that the key is correct without a trip to the
KDC.
> This way the function can only be used for localauth and cannot be used
> to specify an
> arbitrary client name to the service whose key is in the service keytab.
Sorry, I find this lame. And I still have yet to hear what is so wrong
with using OS facilities for local auth.
More information about the krbdev
mailing list