Re: Intent to package KerberosV
Recently I have become interested in kerberos, and I was almost
about to post an ITP, but I searched the archives, and found the
jobs has already been taken - last month.
Phew! What a relief - now I don't have to do it ;-)
In that thread (sorry, I don't know wny good way of following-up
on an archived thread), it was suggested that IMAP, LPRNG,
Postgres, Amanda, Xfree86, and PAM be supported. It there was also
concern as to what demand there would be for kerberos
versions of these programs. Well here is my 2 cents:
(Note: This is my impression of how things work. As I am only new
to Kerberos, and never seen Kerberos 5 yet, I could be wrong on
some things).
At the momement I am constantly using ssh, but I am getting rather fed
up with it, for the following reasons:
- major compatability problems with ssh2 vs ssh1, especially on Ultrix,
the computer I use most often at Uni. ssh2 version 1 compatability
is broken on this platform. ssh1 is OK, but my sysadmin says it has
security problems on IRIX and SunOs, and has removed the ssh1 server
from these computers. Kerberos 4 also has compatability problems. It has
been documented that kerberos V has been tested - I have yet to see if
this is true.
- ssh1 and ssh2 seem to take ages to open a new connection on this
Ultrix computer - in comparision kerberos 4 is much faster. I saw
somewhere the ssh was meant to be faster (more interactive) then
kerberos 5 - I hope this doesn't mean the speed has decreased in the new
version.
- if you don't want to have to enter your password each time you connect
to a remote computer (eg important for cvs over ssh), ssh requires you to
keep a copy of your private key on the remote computer. This private key
is valid indefinitely, so if somebody gets/breaks into your private key,
eg a year from now, it still will be valid. I really don't like this,
as I want to be able to connect from Uni to home, and I don't trust
the security of the computers at Uni. There are certain ways of using
ssh-agent to prevent the private key from having to be stored on disk of
the untrusted computer, but IMHO the risk still remains. Kerberos
tickets expire after a time limit, and while anyone who uses it
within that time limit could still do as much damage (eg rm -rf $HOME),
I think it is less risky.
Sure, there are problems with Kerberos, like what if the security of the
kerberos server gets comprimised, but IMHO this is a non-issue. If the
server at one organisation gets comprimised, the worst it could mean is
that all my accounts at that site get comprimised (at least that is my
opinion). NFS already makes the same thing possible without resorting to
breaking into kerberos servers ;-)
If I were to change to using Kerberos, I would most likely use the
following applications: postgresql, cvs, xdm, openldap, pop with
Maildir support(???? does something like this exist???). I have yet
to check what Mail clients I use actually have kpop support. :-). If
xdm cannot be ported, what about wdm and/or kdm???
Another application I have been considering: secure authorization for
diskless NFS clients - this would only be useful if I could get rid
of passwords in NIS, which means all programs have to support it (eg
xdm, xlock I think are the main problem areas). I am also looking at
openldap, but my feeling (at the momemt at least) is that kerberos would
be better for authentication.
My main concern for kerberos, at least with version 4, is that
when running kinit or kauth to "login" there doesn't seem to be anyway
of verifying that the kerberos server is the real server. Does
version 5 do anything to help this?
--
Brian May <bam@snoopy.apana.org.au>
PS: Please reply to bam@snoopy.org.au, the reply-to address, and not the
from address. This should happen automagically...
Reply to: