RX Kerberos 5 security class requirements of Kerberos library
Troy Benjegerdes
hozer at hozed.org
Sun Jan 21 17:54:37 EST 2007
> > This way the function can only be used for localauth and cannot be used
> > to specify an
> > arbitrary client name to the service whose key is in the service keytab.
>
> Sorry, I find this lame. And I still have yet to hear what is so wrong
> with using OS facilities for local auth.
Having a single code path for *ALL* authentication that goes to a standard
library makes security auditing much easier. If we have to use kerberos
for network and OS facilities for local auth, now we have the network
code path, and the local OS code path which will be different on every
OS.
Now, maybe we can just have the OS provide a nice kerberos wire or API
protocol compatible local auth facility, we might have something
everyone likes.
More information about the krbdev
mailing list