Re: Use of Kerberos in Debian Edu

To: Petter Reinholdtsen <pere@hungry.com>
Cc: debian-edu@lists.debian.org
Subject: Re: Use of Kerberos in Debian Edu
From: Dominik George <dominik.george@teckids.org>
Date: Thu, 1 Sep 2016 21:07:13 +0200
Message-id: <[🔎] 20160901190713.GP29966@iupiter.teckids.org>
In-reply-to: <[🔎] 2flmvjrvjuv.fsf@diskless.uio.no>
References: <[🔎] 55874B1C-6A0B-40F8-9235-D88751D146BB@teckids.org> <[🔎] 2flmvjrvjuv.fsf@diskless.uio.no>

Hi Petter,

Petter Reinholdtsen schrieb am Thursday, 01. September 2016 um 15:18:48 +0200:
> [Dominik George]
> > One difference is we don't use Kerberos.
> 
> How sad.

Yeah.

> 
> > What is Kerberos used for in Debian Edu? I could not find any feature
> > that requires it.
> 
> It is used to check passwords during login.  It is the only way to do
> this that never send the password over the net, avoiding a small class
> of security problems.  

Sure. I know it is used - but user login is nothing that specifically
*needs* Kerberos in Debian Edu - it would be a matter of switching to
libpam-ldap instead. This isn't as good as Kerberos, sure - but it is no
point that makes any Debian Edu install *need* Kerberos.

> 
> > I assume it is only there because GOsa² defaults to adding it?
> 
> Nope, we had to add Kerberos support to GOsa².

Ah, OK. I actually did use Kerberos with GOsa² for a customer. Didn't
know it originated from Debian Edu ;).

> See <URL: https://www.nuug.no/aktiviteter/20100413-kerberos/ > for an
> introduction to Kerberos.  I implemented Kerberos support in Debian Edu
> based on that talk.  The talk is in English, so do not worry about the
> Norwegian introduction.

Thanks for pointing to that.

I would, indeed, love to just switch to plain Skolelinux. The thing is
that we need it synchronised across multiple locations and the central
LDAP is not Debian Edu and not GOsa maintained. None of this should be a
big issue.

I would, indeed, prefer to add Kerberos to our network as well, but at
the point where we figured out that we would want to have Kerberos, we
already had over a thousand users, and I have no idea how to add
Kerberos to that now. It would, in my understanding, involve having each
and every user reset their passwords, which is not feasable.

If you happen to ahve an idea on how to add Kerberos without involving
actions by every user, please let me know and I will happily do.

Cheers,
Nik

-- 
Dominik George (1. Vorstandsvorsitzender, Pädagogischer Leiter)
Teckids e.V. - Erkunden, Entdecken, Erfinden.
https://www.teckids.org

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Use of Kerberos in Debian Edu
  - From: Jonas Smedegaard <dr@jones.dk>
- Re: Use of Kerberos in Debian Edu
  - From: Petter Reinholdtsen <pere@hungry.com>

References:
- Use of Kerberos in Debian Edu
  - From: Dominik George <dominik.george@teckids.org>
- Re: Use of Kerberos in Debian Edu
  - From: Petter Reinholdtsen <pere@hungry.com>

Prev by Date: Bug#836310: problems with ftp.skolelinux.org/wheezy
Next by Date: Bug#836310: problems with ftp.skolelinux.org/wheezy
Previous by thread: Re: Use of Kerberos in Debian Edu
Next by thread: Re: Use of Kerberos in Debian Edu
Index(es):
- Date
- Thread