[ On Thursday, December 9, 2004 at 09:56:59 (+0000), Dick Davies wrote: ]
> Subject: Re: Centralized User and Password Management
>
> * John Nemeth <jnemeth@victoria.tc.ca> [1229 09:29]:
> > 
> > } of the powerful features of Kerberos is ticket forwarding. It requires
> > } the client application understand Kerberos (or GSSAPI) well enough to
> > } actually forward the cached credentials rather than a username &
> > 
> >      Hmm, yes I see the problem.  Kerberos doesn't really fit into the
> > traditional UNIX way of doing things.  It seems that we need a new
> > protocol independent and method independent client/server
> > authentication protocol, where a server can tell a client what it wants
> > (i.e. prompt user for username and password, send Kerberos ticket,
> > etc.).
> 
> SASL is supposed to address these issues - unfortunately It's horribly
> complex.

It does, sort of, though not the "single sign on" desire....

BSD Auth (still freely(?) available from BSDI's BSD/OS) is much simpler
than hooking SASL into everything (there's that "specialized code" issue
rearing its ugly head again) and it seems to address all these issues
too and without needing _any_ specialized code (at least not more than
we've already got)....  :-)

-- 
						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>