Subject: Re: Centralized User and Password Management
To: NetBSD Users <netbsd-users@NetBSD.org>
From: Tillman Hodgson <tillman@seekingfire.com>
List: netbsd-users
Date: 11/25/2004 17:55:10
On Thu, Nov 25, 2004 at 11:21:50PM +0000, Dick Davies wrote:
> * Tillman Hodgson <tillman@seekingfire.com> [1103 22:03]:
> 
> > Kerberos only works "properly" if you Kerberize your entire environment.
> > This is often difficult and cases folks to avoid Kerberos because of a
> > unusual app or two. PAM allows those apps to be accommodated.
> 
> My understanding of PAM/Kerberos is sketchy, but I assume the client
> just blindly sends its user/pass to the server (which then gets a ticket
> on the users behalf to validate the passphrase?), since
> PAM is fundamentally user/pass based. 

Right. pam_krb5 is useful for things like a local xlock, which never
touches a network, and for "weird" apps like SSL/telnet (where the
underlying transport is reasonably secure).

> So you lose your SSO features anyway, and also you have no real
> server identification (there are no tickets coming back from the 
> server to the client). You'd have to rely on SSL CRLs to 'untrust'
> a server, and we all know how useless they are.

As I said, PAM allows the odd app or two that might be preventing
Kerberizing an environment completely to still work. It's a stop-gap
measure until those legacy services can be properly migrated.

-T


-- 
When I were a lad, if grandpa caught us double sigging, it's be straight
to bed with no bread and butter after a good thrashing. 
    -- A.S.R. quote (Peter Radcliffe)