[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Intent to package kth kerberos (krb4 or heimdal, not sure which)

And thus spake Jean Pierre LeJacq, on Fri, Mar 13, 1998 at 09:03:11AM -0500:
> On Fri, 13 Mar 1998, Raul Miller wrote:
> 
> > Jean Pierre LeJacq <jplejacq@quoininc.com> wrote:
> > > This is a fundamental flaw with kerberos (and SSL and similiar
> > > systems). I believe that a better approach is to move encryption and
> > > authentication down to the IP layer as is done with SKIP and IPsec.
> > > ALL applications and protocols will then work without modification.
> > 
> > Er.. there's no reason not to use Kerberos and IPsec together.
> 
> I'm not particular familiar with IPsec but SKIP provides
> authentication.  True you could use Kerberos but it would be
> redundant.  Not to say that Kerberos wouldn't be nice to have in
> Debian but, as you mentioned earlier, it would require patching all
> network applications.

Sort of. SKIP provides IP level authentication and encryption. Kerberos
provides user instance level authentication and encryption. Completely
different levels of security, there, and both useful for different
purposes.

> > Furthermore, I have some doubt about whether IPsec really addresses
> > the issues of user authentication and privacy -- in many cases it
> > seems more applicable to host and maybe application issues.
> 
> Not so.  Its a network security protocol.

Not exactly. It's an IP security protocol.

> > Also, SKIP, as far as I know, is an example of an early IPsec effort,
> > and SSL does not address all the same issues.
> 
> Not so.  SKIP is a competitor for ISAKMP which is part of IPSec.  That
> is the major disadvantage of SKIP; IETF has selected ISAKMP for
> standardization.  However, there are few if any implementation of
> ISAKMP and none that I know of for Linux.  Anyone have pointers here?
> SKIP is available now for many platforms and its seems to be getting
> industry backing.
> 
> > Raul, wondering about the implications of a Kerberos and ssh combo.
> 
> SKIP is very much like ssh except all the work is done at the IP level
> and all protocols get the benefit of encryption/authentication.

I don't think you're really seeing the distinction. SKIP only authenticates
IP packets. ssh authenticates users (if you want it to). Kerberos is an
identity verification and ticketing system, with a centralized authority
system. Entirely different.

All three are useful in different ways, and I'd like to see them all
available for debian (but, my own time is way too tight to try to pull
off packaging kerberos; just started a new job last month).

-- 
Elie Rosenblum <erosenbl at nyx.net>That is not dead which can eternal lie,
     <fnord at cosanostra.net>   And with strange aeons even death may die.
Developer / Mercenary / System Administrator             - _The Necromicon_


--
E-mail the word "unsubscribe" to debian-devel-request@lists.debian.org
TO UNSUBSCRIBE FROM THIS MAILING LIST. Trouble? E-mail to listmaster@lists.debian.org
Reply to: