Subject: Re: Centralized User and Password Management
To: NetBSD Users <netbsd-users@NetBSD.org>
From: Tillman Hodgson <email@example.com>
Date: 11/25/2004 17:55:10
On Thu, Nov 25, 2004 at 11:21:50PM +0000, Dick Davies wrote:
> * Tillman Hodgson <firstname.lastname@example.org> [1103 22:03]:
> > Kerberos only works "properly" if you Kerberize your entire environment.
> > This is often difficult and cases folks to avoid Kerberos because of a
> > unusual app or two. PAM allows those apps to be accommodated.
> My understanding of PAM/Kerberos is sketchy, but I assume the client
> just blindly sends its user/pass to the server (which then gets a ticket
> on the users behalf to validate the passphrase?), since
> PAM is fundamentally user/pass based.
Right. pam_krb5 is useful for things like a local xlock, which never
touches a network, and for "weird" apps like SSL/telnet (where the
underlying transport is reasonably secure).
> So you lose your SSO features anyway, and also you have no real
> server identification (there are no tickets coming back from the
> server to the client). You'd have to rely on SSL CRLs to 'untrust'
> a server, and we all know how useless they are.
As I said, PAM allows the odd app or two that might be preventing
Kerberizing an environment completely to still work. It's a stop-gap
measure until those legacy services can be properly migrated.
When I were a lad, if grandpa caught us double sigging, it's be straight
to bed with no bread and butter after a good thrashing.
-- A.S.R. quote (Peter Radcliffe)