Op zo 28-09-2003, om 00:45 schreef David Z Maze: <snip> > I think both Kerberos and RADIUS are "single sign-on" protocols: when > you log on you get some sort of authentication token, which you can > use to talk to other services without typing a password. I know much > more about Kerberos, so I'll talk about that. I think it should be > possible using only what's included in Debian to assemble > infrastructure that gets Kerberos tickets on login (via PAM), and then > you have mail services (Kerberos/SASL IMAP), a filesystem (OpenAFS), > and passwordless ssh (ssh-krb5). User passwords are only stored one > place (the Kerberos KDC), and once they've logged in they never need > to type their password again. > > Even given this, you still need some way of distributing the (public) > information in /etc/passwd. I think LDAP is good for this. > > -- > David Maze [EMAIL PROTECTED] http://people.debian.org/~dmaze/ > "Theoretical politics is interesting. Politicking should be illegal." > -- Abra Mitchell >
This sounds like a much more integrated system and easier to maintain. I cannot see a sysadmin juggle with all those user passwords for different programs. Do production type servers use Kerberos or RADIUS more than PAM? Benedict -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
