[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Kerberos on .debian.org?

On 8 Mar 2001, Turbo Fredriksson wrote:

> I've been playing with the krb5-* packages and I'm _IMPRESSED_!
> I never used kerberos before, but it's cool (and secure, let's not
> forget that! :).

> With the help of 'libpam-krb5' and the pam_krb5_migrate.so (can be
> found at 'ftp://ftp.netexpress.net/pub/pam/') it would be 'easy' to
> be able to use krsh/ktelnet etc to login securely to any Debian
> machine.

Careful -- you should never use libpam-krb5 for authenticating remote
connections.  It won't provide secure communication with the remote user; the
password will be sent plaintext across the network, and then securely verified
against the KDC.  If you want kerberos network authentication, you'll need to
set up krshd and ktelnetd.

(Using libpam-krb5 w/ sshd password authentication is marginally better -- but
you're still sending your password across the network to a machine you might
not trust.  At least, this is the Kerberos philosophy. :)

> NOTE: I have not been able to compile the migration module with the
>       latest krb5 packages yet, but we're working on it.

If we can get pam_krb5_migrate to compile against the Debian krb5 packages,
I'll be happy to package this module.  Looks like we have an uphill battle
with the upstream to get the header files we'll need, though. :)

Steve Langasek
postmodern programmer
Reply to: