Re: [suse-security] Why no SuSE RPMs for KDE 3.1.4 security update?
How many do that using kerberos?
I'm using Kerberos V. OpenSSH and OpenLDAP, for example, are using Kerberos V authentication. Also, I'm using pam_krb5. Don't know why there are so liitle people using Kerberos V. Single Sign-On is god blessing.
Do you also allow remote X logins for generic users using KDM? :-D On a more serious tone, I'm interested in the uses of Kerberos. I already have single sign on by using OpenLDAP + pam_ldap, and I still have to find a situation where an autentication system would be useful AND worth the management efforts and costs. But I feel like I could be very wrong on this :-) If you've the time, could you please write something on the management of such a system, the problems one could encunter, the kind of users you think could benefit from this, etc? Many thanks in advance! :-) Ciao, Roberto
On Tue, 2003-09-23 at 16:48, r.maurizzi@digitalpha.it wrote:
On a more serious tone, I'm interested in the uses of Kerberos. I already have single sign on by using OpenLDAP + pam_ldap, and I still have to find a situation where an autentication system would be useful AND worth the management efforts and costs.
Well, OpenLDAP + pam_ldap is not single sign-on: if you SSH into host A and, from host A, you SSH again to host B, you will get prompted for a user name and password. With single sign-on, you will SSH into host A, and will be able to SSH again in to host B without being prompted for a password. That's how I have my network configured at home. I do only log on once, and I can access my IMAP mailbox, my servers and the OpenLDAP server without my credentials again.
If you've the time, could you please write something on the management of such a system, the problems one could encunter, the kind of users you think could benefit from this, etc?
That would take a lot of time, but I will try to resume it. Basically, installing Kerberos V for the very first time is not exactly an user-friendly experience. Documentation is scarce and you will find yourself playing cat and mouse from time to time. However, once you have done once, it's pretty straightforward. You will need a solid network infraestructure: NTP for time sync and DNS, to name a few. Enabling Kerberos V authentication is easy and many distributions do have GUI tools to do that. Kerberos V by itself won't provide for a centralized user account repository: you'll need to keep /etc/passwd in sync between your servers, but if you add OpenLDAP to the mix, it will pay for itself. You'll get single-sign on and centralized administration (well, nearly since passwords must be set using Kerberos, but there are ways to integrate password changes with Kerberos V).
participants (2)
-
Felipe Alfaro Solana
-
r.maurizzi@digitalpha.it