Spec for Kerberizing Ubuntu
dave at mudsite.com
Mon Jul 11 14:43:10 CDT 2005
Jeff Bailey wrote:
>Le lundi 11 juillet 2005 à 13:50 -0400, Andrew Forgue a écrit :
>>I've created the first part of a specification for adding Kerberos
>>support to all the packages possible. It's on the udu wiki @
>>http://udu.wiki.ubuntu.com/KerberizingUbuntu. It's just the starting
>>steps, but I'd like to get some buy in from some more senior
>>developersand some people to help me flesh this out a little more. I
>>know the package list and rationale need more work.
>>So if people could get a look over it and update, give me input or
>>anything else, I'd appreciate it.
>A few thoughts came to mind while reading it:
>1) We should document the choice of Kerberos provider.
>So far we've chosen MIT Kerberos without documenting a good deal about
>it. The decision was so far taken because of interoperability with
>other projects (RedHat uses MIT Krb5, as does SkoleLinux). The Debian
>Developer (Sam Hartmans) is very responsive.
>2) We should have a more detailed list of packages we care about, and
>possibly why we should inflict a kerberos dependancy on them.
>3) Notes on where using SASL or some sort of pluggable authentication
>architecture might be useful so that things in base don't get worse
>circular dependancy loops than already exist.
>4) The Spec is listed as a Dependent of itself. That's probably not
>5) It might also help get more people interested in Enterprise
>authentication systems if we include more details like when/why you'd
>use it. It would probably also be worth doing this as part of an ldap
>setup for directory authentication. Also, with nice security systems
>like this, it's worth giving a lot of documentation on pitfalls and
>such. No point in deploying Kerberos if the keytab files get on the
>machines insecurely. (The same really goes for information on handling
>ssh known hosts files in an enterprise setting, too)
>Hope that helps!
Since the topic of Kerberos has been brought up, I wanted to ask. What
are the differences between MIT Kerberos, and Heimdal Kerberos? I have
only administered on MIT Kerberos4 and 5, so don't know what Heimdal is
like. I am going to assume it is mostly under-the-hood differenced, but
any one know?
More information about the ubuntu-devel