RX Kerberos 5 security class requirements of Kerberos library

Sam Hartman hartmans at MIT.EDU
Sun Jan 21 18:05:38 EST 2007

>>>>> "Jeffrey" == Jeffrey Altman <jaltman at secure-endpoints.com> writes:

    Jeffrey> Troy Benjegerdes wrote:
    >>>> This way the function can only be used for localauth and
    >>>> cannot be used to specify an arbitrary client name to the
    >>>> service whose key is in the service keytab.
    >>> Sorry, I find this lame.  And I still have yet to hear what is
    >>> so wrong with using OS facilities for local auth.
    >>  Having a single code path for *ALL* authentication that goes
    >> to a standard library makes security auditing much easier. If
    >> we have to use kerberos for network and OS facilities for local
    >> auth, now we have the network code path, and the local OS code
    >> path which will be different on every OS.
    >> Now, maybe we can just have the OS provide a nice kerberos wire
    >> or API protocol compatible local auth facility, we might have
    >> something everyone likes.

    Jeffrey> Troy:

    Jeffrey> It is important to realize that when we discussion
    Jeffrey> localauth with regards to AFS we are not discussing
    Jeffrey> single machine authentication.  Instead we are discussing
    Jeffrey> local authentication within an AFS cell.  We are not
    Jeffrey> discussing the use of local OS facilities.

That's certainly the AFS community's position.  I don't think they
have made a compelling case for localauth beyond a single machine.

But can we please get this level of afs-specificity off of krbdev?
Refine things to proposed requirements; bring those forward; then
design in terms of general requirements.

More information about the krbdev mailing list