Re: Kerberos on .debian.org?

To: <debian-devel@lists.debian.org>
Subject: Re: Kerberos on .debian.org?
From: Turbo Fredriksson <turbo@bayour.com>
Date: 09 Mar 2001 19:23:11 +0100
Message-id: <[🔎] 87ae6udcog.fsf@papadoc.bayour.com>
In-reply-to: Steve Langasek's message of "Thu, 8 Mar 2001 09:26:43 -0600 (CST)"
References: <[🔎] Pine.LNX.4.30.0103080919130.3587-100000@tennyson.netexpress.net>

>>>>> "Steve" == Steve Langasek <vorlon@netexpress.net> writes:

    Steve> Careful -- you should never use libpam-krb5 for
    Steve> authenticating remote connections.

I know, and currently I'm only running this on one machine. The only reason I'm
using it today, is for migration purposes.

I was looking through the pam_ldap module (v99) a couple of weeks ago, and that
had an SSL option. But that seems only to work with the Netscape LDAP server, not
OpenSSL...

With this (I haven't gotten that far yet), the request for authorization goes from
the login program used (login/sshd/ftp/whatnot) to PAM -> PAM-LDAP -> LDAP Server 
and then to the KDC if it wants the password (I _THINK_ this where the 'userPassword:
{SASL}username' comes into play, but I'm not sure:). All using SSL/TLS. 

At least that's the way I want it to work, but I'm not sure if that's the way it
IS supposed to work :)

    Steve> It won't provide secure
    Steve> communication with the remote user; the password will be
    Steve> sent plaintext across the network, and then securely
    Steve> verified against the KDC.  If you want kerberos network
    Steve> authentication, you'll need to set up krshd and ktelnetd.

I am running krsh/ktelnet/kftp and that was my main idea about Kerberos in
Debian. I can use krsh instead of scp. I've seen a little to many indications
that ssh maybe isn't so secure that everybody thinks (SSH protocol problems,
man-in-the-middle attacks etc).


PS. I'm offering to help Sam on creating such a system, I've already made it
    once, I'll just need a way to tripplecheck and finish it up :)
    And since Debian already runs LDAP, it shouldn't be THAT difficult :)

-- 
 Turbo     __ _     Debian GNU     Unix _IS_ user friendly - it's just 
 ^^^^^    / /(_)_ __  _   ___  __  selective about who its friends are 
         / / | | '_ \| | | \ \/ /   Debian Certified Linux Developer  
  _ /// / /__| | | | | |_| |>  <  Turbo Fredriksson   turbo@tripnet.se
  \\\/  \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden

terrorist domestic disruption colonel killed jihad security toluene
Iran Marxist Mossad Rule Psix cryptographic Soviet Clinton Noriega
[See http://www.aclu.org/echelonwatch/index.html for more about this]

Reply to:

Follow-Ups:
- Re: Kerberos on .debian.org?
  - From: Wichert Akkerman <wichert@cistron.nl>

References:
- Re: Kerberos on .debian.org?
  - From: Steve Langasek <vorlon@netexpress.net>

Prev by Date: Re: FYI -- vote administrivia
Next by Date: tar-1.13 buggy?
Previous by thread: Re: Kerberos on .debian.org?
Next by thread: Re: Kerberos on .debian.org?
Index(es):
- Date
- Thread