Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Re: [suse-security] Why no SuSE RPMs for KDE 3.1.4 security update?
  • From: Felipe Alfaro Solana <felipe_alfaro@xxxxxxxxxxxxx>
  • Date: Thu, 25 Sep 2003 16:27:08 +0200
  • Message-id: <1064500027.1293.6.camel@xxxxxxxxxxxxxxxxxxxxxxxx>
On Tue, 2003-09-23 at 16:48, r.maurizzi@xxxxxxxxxxxxx wrote:
> On a more serious tone, I'm interested in the uses of Kerberos.
> I already have single sign on by using OpenLDAP + pam_ldap, and I still
> have to find a situation where an autentication system would be useful AND
> worth the management efforts and costs.

Well, OpenLDAP + pam_ldap is not single sign-on: if you SSH into host A
and, from host A, you SSH again to host B, you will get prompted for a
user name and password.

With single sign-on, you will SSH into host A, and will be able to SSH
again in to host B without being prompted for a password. That's how I
have my network configured at home. I do only log on once, and I can
access my IMAP mailbox, my servers and the OpenLDAP server without my
credentials again.

> If you've the time, could you please write something on the management of
> such a system, the problems one could encunter, the kind of users you think
> could benefit from this, etc?

That would take a lot of time, but I will try to resume it. Basically,
installing Kerberos V for the very first time is not exactly an
user-friendly experience. Documentation is scarce and you will find
yourself playing cat and mouse from time to time. However, once you have
done once, it's pretty straightforward.

You will need a solid network infraestructure: NTP for time sync and
DNS, to name a few. Enabling Kerberos V authentication is easy and many
distributions do have GUI tools to do that. Kerberos V by itself won't
provide for a centralized user account repository: you'll need to keep
/etc/passwd in sync between your servers, but if you add OpenLDAP to the
mix, it will pay for itself. You'll get single-sign on and centralized
administration (well, nearly since passwords must be set using Kerberos,
but there are ways to integrate password changes with Kerberos V).


< Previous Next >
References