Spec for Kerberizing Ubuntu

[Jeff Bailey]

Le lundi 11 juillet 2005 à 13:50 -0400, Andrew Forgue a écrit :
> I've created the first part of a specification for adding Kerberos
> support to all the packages possible.  It's on the udu wiki @
> http://udu.wiki.ubuntu.com/KerberizingUbuntu.  It's just the starting
> steps, but I'd like to get some buy in from some more senior
> developersand some people to help me flesh this out a little more.  I
> know the package list and rationale need more work. 
> 
> So if people could get a look over it and update, give me input or
> anything else, I'd appreciate it.

A few thoughts came to mind while reading it:

1) We should document the choice of Kerberos provider.

So far we've chosen MIT Kerberos without documenting a good deal about
it.  The decision was so far taken because of interoperability with
other projects (RedHat uses MIT Krb5, as does SkoleLinux).  The Debian
Developer (Sam Hartmans) is very responsive.

2) We should have a more detailed list of packages we care about, and
possibly why we should inflict a kerberos dependancy on them.

3) Notes on where using SASL or some sort of pluggable authentication
architecture might be useful so that things in base don't get worse
circular dependancy loops than already exist.

4) The Spec is listed as a Dependent of itself.  That's probably not
right.

5) It might also help get more people interested in Enterprise
authentication systems if we include more details like when/why you'd
use it.  It would probably also be worth doing this as part of an ldap
setup for directory authentication.  Also, with nice security systems
like this, it's worth giving a lot of documentation on pitfalls and
such.  No point in deploying Kerberos if the keytab files get on the
machines insecurely.  (The same really goes for information on handling
ssh known hosts files in an enterprise setting, too)

Hope that helps!

Tks,
Jeff Bailey