Re: MIT versus Heimdal Kerberos 5

To: debian-user@lists.debian.org
Subject: Re: MIT versus Heimdal Kerberos 5
From: Frank Lenaerts <lenaerts.frank@pandora.be>
Date: Mon, 13 Jan 2003 19:54:10 +0100
Message-id: <[🔎] 20030113185410.GA12620@galaxy>
Mail-followup-to: debian-user@lists.debian.org
Reply-to: Frank Lenaerts <lenaerts.frank@pandora.be>
In-reply-to: <[🔎] y68y95pc6x2.fsf@multics.mit.edu>
References: <[🔎] 20030113122515.GA11645@galaxy> <[🔎] y68y95pc6x2.fsf@multics.mit.edu>

on Mon, Jan 13, 2003 at 12:10:17PM -0500, David Z Maze wrote about Re: MIT versus Heimdal Kerberos 5:
> Frank Lenaerts <lenaerts.frank@pandora.be> writes:
> > I configured MIT Kerberos 5 and can now use kerberised telnet, ftp,
> > rlogin and ssh. However, I also want to have X over Kerberos.
> 
> My understanding is that you don't, really, and that the Kerberos code
> that appears in X might have maybe done authentication but not
> encryption when built against a really ancient pre-release of MIT
> krb5.  Around here, everyone uses ssh's X forwarding (with Kerberos

This means that you actually have to login to your local machine
first and then ssh to the application server where you can start your
X clients. 

This means that you do not have central user management anymore
(unless there is a kerberised login program, which does not seem to be
the case (Woody), to authenticate and then start the X server
manually, which does not encrypt the X traffic (like you mentioned
above).

This also means that it would be more difficult for an end user to get
a full screen remote X session (window manager, etc. all running on
the application server), in the case where the X terminal is really an
X terminal (i.e. only runs the OS and an X server, possibly even
diskless [ignore NFS security problems for a while]).

It seems that I only have 2 options to choose from:

(1) Use Heimdal Kerberos 5 with kx and kxd
    + : in Woody and probably fairly easy to setup
    - : uncertain about stability, compatibility, ...

(2) Setup X terminals to authenticate via SSL/TLS to an LDAP server,
    which in turn gets the passwd information from a Kerberos server.
    + : more generic i.e. also non-{x,g,k}dm logins can authenticate
        like this
    - : libldap2-tls is not part of Woody, but is already in testing
        so should be ok (didn't check dependencies on other testing
        stuff yet)
    - : long chain with conversions: PAM/LDAP, SSL/TLS, SASL

Any other pro's or contra's, suggestions appreciated!

> authentication).  The ssh-krb5 package provides this, though you need
> to enable all of the options manually and remember to generate a
> keytab for the machine.

I've configured kerberised telnet, ftp, rlogin and ssh already, and it
works fine.

> -- 
> David Maze         dmaze@debian.org      http://people.debian.org/~dmaze/
> "Theoretical politics is interesting.  Politicking should be illegal."
> 	-- Abra Mitchell

-- 
lenaerts.frank@pandora.be

Those who do not understand Unix are condemned to reinvent it, poorly."
-- Henry Spencer

Attachment: pgpYx4iRkCpZl.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: MIT versus Heimdal Kerberos 5
  - From: Frank Lenaerts <lenaerts.frank@pandora.be>

References:
- MIT versus Heimdal Kerberos 5
  - From: Frank Lenaerts <lenaerts.frank@pandora.be>
- Re: MIT versus Heimdal Kerberos 5
  - From: David Z Maze <dmaze@debian.org>

Prev by Date: ftp/telnet services down, fetchmail fails
Next by Date: Re: Debian as a Personal Video Recorder??
Previous by thread: Re: MIT versus Heimdal Kerberos 5
Next by thread: Re: MIT versus Heimdal Kerberos 5
Index(es):
- Date
- Thread