Spec for Kerberizing Ubuntu

dave walker dave at mudsite.com
Mon Jul 11 14:43:10 CDT 2005

Jeff Bailey wrote:

>Le lundi 11 juillet 2005 à 13:50 -0400, Andrew Forgue a écrit :
>>I've created the first part of a specification for adding Kerberos
>>support to all the packages possible.  It's on the udu wiki @
>>http://udu.wiki.ubuntu.com/KerberizingUbuntu.  It's just the starting
>>steps, but I'd like to get some buy in from some more senior
>>developersand some people to help me flesh this out a little more.  I
>>know the package list and rationale need more work. 
>>So if people could get a look over it and update, give me input or
>>anything else, I'd appreciate it.
>A few thoughts came to mind while reading it:
>1) We should document the choice of Kerberos provider.
>So far we've chosen MIT Kerberos without documenting a good deal about
>it.  The decision was so far taken because of interoperability with
>other projects (RedHat uses MIT Krb5, as does SkoleLinux).  The Debian
>Developer (Sam Hartmans) is very responsive.
>2) We should have a more detailed list of packages we care about, and
>possibly why we should inflict a kerberos dependancy on them.
>3) Notes on where using SASL or some sort of pluggable authentication
>architecture might be useful so that things in base don't get worse
>circular dependancy loops than already exist.
>4) The Spec is listed as a Dependent of itself.  That's probably not
>5) It might also help get more people interested in Enterprise
>authentication systems if we include more details like when/why you'd
>use it.  It would probably also be worth doing this as part of an ldap
>setup for directory authentication.  Also, with nice security systems
>like this, it's worth giving a lot of documentation on pitfalls and
>such.  No point in deploying Kerberos if the keytab files get on the
>machines insecurely.  (The same really goes for information on handling
>ssh known hosts files in an enterprise setting, too)
>Hope that helps!
>Jeff Bailey
Since the topic of Kerberos has been brought up, I wanted to ask.  What 
are the differences between MIT Kerberos, and Heimdal Kerberos?  I have 
only administered on MIT Kerberos4 and 5, so don't know what Heimdal is 
like.  I am going to assume it is mostly under-the-hood differenced, but 
any one know?


More information about the ubuntu-devel mailing list