RX Kerberos 5 security class requirements of Kerberos library
Jeffrey Altman
jaltman at secure-endpoints.com
Sun Jan 21 18:02:30 EST 2007
Troy Benjegerdes wrote:
>>> This way the function can only be used for localauth and cannot be used
>>> to specify an
>>> arbitrary client name to the service whose key is in the service keytab.
>> Sorry, I find this lame. And I still have yet to hear what is so wrong
>> with using OS facilities for local auth.
>
> Having a single code path for *ALL* authentication that goes to a standard
> library makes security auditing much easier. If we have to use kerberos
> for network and OS facilities for local auth, now we have the network
> code path, and the local OS code path which will be different on every
> OS.
>
> Now, maybe we can just have the OS provide a nice kerberos wire or API
> protocol compatible local auth facility, we might have something
> everyone likes.
Troy:
It is important to realize that when we discussion localauth with
regards to AFS we are not discussing single machine authentication.
Instead we are discussing local authentication within an AFS cell. We
are not discussing the use of local OS facilities.
I do not disagree with your approach for services that exist only on a
single machine, but the AFS situation is different.
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20070121/76b4a9e6/attachment.bin
More information about the krbdev
mailing list