Re: MIT versus Heimdal Kerberos 5

Mon, 13 Jan 2003 11:07:08 -0800 

on Mon, Jan 13, 2003 at 12:10:17PM -0500, David Z Maze wrote about Re: MIT versus 
Heimdal Kerberos 5:
> Frank Lenaerts <[EMAIL PROTECTED]> writes:
> > I configured MIT Kerberos 5 and can now use kerberised telnet, ftp,
> > rlogin and ssh. However, I also want to have X over Kerberos.
> 
> My understanding is that you don't, really, and that the Kerberos code
> that appears in X might have maybe done authentication but not
> encryption when built against a really ancient pre-release of MIT
> krb5.  Around here, everyone uses ssh's X forwarding (with Kerberos

This means that you actually have to login to your local machine
first and then ssh to the application server where you can start your
X clients. 

This means that you do not have central user management anymore
(unless there is a kerberised login program, which does not seem to be
the case (Woody), to authenticate and then start the X server
manually, which does not encrypt the X traffic (like you mentioned
above).

This also means that it would be more difficult for an end user to get
a full screen remote X session (window manager, etc. all running on
the application server), in the case where the X terminal is really an
X terminal (i.e. only runs the OS and an X server, possibly even
diskless [ignore NFS security problems for a while]).

It seems that I only have 2 options to choose from:

(1) Use Heimdal Kerberos 5 with kx and kxd
    + : in Woody and probably fairly easy to setup
    - : uncertain about stability, compatibility, ...

(2) Setup X terminals to authenticate via SSL/TLS to an LDAP server,
    which in turn gets the passwd information from a Kerberos server.
    + : more generic i.e. also non-{x,g,k}dm logins can authenticate
        like this
    - : libldap2-tls is not part of Woody, but is already in testing
        so should be ok (didn't check dependencies on other testing
        stuff yet)
    - : long chain with conversions: PAM/LDAP, SSL/TLS, SASL

Any other pro's or contra's, suggestions appreciated!

> authentication).  The ssh-krb5 package provides this, though you need
> to enable all of the options manually and remember to generate a
> keytab for the machine.

I've configured kerberised telnet, ftp, rlogin and ssh already, and it
works fine.

> -- 
> David Maze         [EMAIL PROTECTED]      http://people.debian.org/~dmaze/
> "Theoretical politics is interesting.  Politicking should be illegal."
>       -- Abra Mitchell

-- 
[EMAIL PROTECTED]

Those who do not understand Unix are condemned to reinvent it, poorly."
-- Henry Spencer

Attachment: msg23925/pgp00000.pgp
Description: PGP signature

Reply via email to