[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Intent to package KerberosV

> Now that KerberosV has hit the European mirrors (origin unknown) I propose
> to package it.

I've forwarded Matt the contents of my initial efforts at Debianizing
the package, basically the contents of /debian stripped of all source
code, which is mostly instructions on setting up the various services
and shell scripts to set up the necessary configuration files.

I hereby surrender my ITP Kerberos V to Matt.

Meanwhile, I've identified the following additional packages which can 
be Kerberized immediately via compile-time flags:

  IMAP (get your mail from the site you expected; prevent snooping)
  LPRNG (network print to the site you expected; prevent interceptions)
  POSTGRES (grant access to database via Kerberos tickets)
AMANDA can be K4'd today, and the development version can be K5'd.
(allow tape backups from the correct host; allow tape restorations 
from the correct host).

I have heard that the NCSA httpd can be Kerberized, but I haven't
looked at it in great detail.

XFREE86, unfortunately, uses a slightly older Kerberos V API.
This is unfortunate since Kerberized X11 would be *extremely* nice.
(With MIT-KERBEROS-5 authentication, xdm will acquire your Kerberos
ticket at login and users don't need to learn anything new.)
Also, if the 9th Circuit Court ruling stands it may be possible
to include DES encryption in X11 (XDM-AUTHENTICATION-1).  Neither
of these authentication methods are subject to compromise by a local
packet sniffer, unlike MIT-MAGIC-COOKIE-1.

Finally, there is some work on a digital certificate/Kerberos V gateway.
The primary use is smart cards (you don't log in, you put your smart
card into the reader) but it's also possible to set up web browsers
to run Kerberized applications on behalf of a SSL client.  I don't
know if this software has been extensively mirrored outside of the US.

Bear Giles

Reply to: