Re: MIT versus Heimdal Kerberos 5

To: debian-user@lists.debian.org
Subject: Re: MIT versus Heimdal Kerberos 5
From: Frank Lenaerts <lenaerts.frank@pandora.be>
Date: Mon, 13 Jan 2003 22:11:38 +0100
Message-id: <[🔎] 20030113211138.GA13061@galaxy>
Mail-followup-to: debian-user@lists.debian.org
Reply-to: Frank Lenaerts <lenaerts.frank@pandora.be>
In-reply-to: <[🔎] 20030113185410.GA12620@galaxy>
References: <[🔎] 20030113122515.GA11645@galaxy> <[🔎] y68y95pc6x2.fsf@multics.mit.edu> <[🔎] 20030113185410.GA12620@galaxy>

on Mon, Jan 13, 2003 at 07:54:10PM +0100, Frank Lenaerts wrote about Re: MIT versus Heimdal Kerberos 5:

Some things I forgot.

> > My understanding is that you don't, really, and that the Kerberos code
> > that appears in X might have maybe done authentication but not

I suppose you mean that xdm supports authName MIT-KERBEROS-5 (which
would be passed to xauth).

> > encryption when built against a really ancient pre-release of MIT
> > krb5.  Around here, everyone uses ssh's X forwarding (with Kerberos
> 
> This means that you actually have to login to your local machine
> first and then ssh to the application server where you can start your
> X clients. 
> 
> This means that you do not have central user management anymore
> (unless there is a kerberised login program, which does not seem to be
> the case (Woody), to authenticate and then start the X server
> manually, which does not encrypt the X traffic (like you mentioned
> above).
> 
> This also means that it would be more difficult for an end user to get
> a full screen remote X session (window manager, etc. all running on
> the application server), in the case where the X terminal is really an
> X terminal (i.e. only runs the OS and an X server, possibly even
> diskless [ignore NFS security problems for a while]).
> 
> It seems that I only have 2 options to choose from:
> 
> (1) Use Heimdal Kerberos 5 with kx and kxd
>     + : in Woody and probably fairly easy to setup
>     - : uncertain about stability, compatibility, ...

      + : X traffic encrypted

> 
> (2) Setup X terminals to authenticate via SSL/TLS to an LDAP server,
>     which in turn gets the passwd information from a Kerberos server.
>     + : more generic i.e. also non-{x,g,k}dm logins can authenticate
>         like this
>     - : libldap2-tls is not part of Woody, but is already in testing
>         so should be ok (didn't check dependencies on other testing
>         stuff yet)
>     - : long chain with conversions: PAM/LDAP, SSL/TLS, SASL

      - : X traffic _not_ encrypted (only authentication towards the
          LDAP server, ...)


As a sidenote, I was just thinking that it might be easier to separate
the encryption part from the authentication part i.e.:

- setup an encrypted tunnel from the client to the application server
  (point-to-point) e.g. CIPE, IPSec to carry all application specific
  traffic 

- use Kerberos only to authenticate centrally


-- 
lenaerts.frank@pandora.be

Those who do not understand Unix are condemned to reinvent it, poorly."
-- Henry Spencer

Attachment: pgp6xUBtMQrLw.pgp
Description: PGP signature

Reply to:

References:
- MIT versus Heimdal Kerberos 5
  - From: Frank Lenaerts <lenaerts.frank@pandora.be>
- Re: MIT versus Heimdal Kerberos 5
  - From: David Z Maze <dmaze@debian.org>
- Re: MIT versus Heimdal Kerberos 5
  - From: Frank Lenaerts <lenaerts.frank@pandora.be>

Prev by Date: unsubscribe
Next by Date: OT Aliasing Multiple Addresses in Mutt
Previous by thread: Re: MIT versus Heimdal Kerberos 5
Next by thread: tmda
Index(es):
- Date
- Thread