On Mon, 10 May 2004, Chris Ricker wrote: >On Mon, 10 May 2004, Havoc Pennington wrote: > >> Hi, >> >> Something we've wanted to do for a long time is create a matrix of >> programs that should support Kerberos authentication, and start checking >> them off. I guess this includes both client-side and server-side. >> >> Does anyone have a good start on this? >> >> Any real-world experience/scenarios where Kerberos support was needed >> and not available? (Which things should be Kerberized first?) > >RH actually used to support krb a bit better than it does now ;-( > >At any rate, apps which need kerberization: > >ssh -- can't remember off-hand if RH RPMs are patched now or not? >cups -- lprng did support, cups doesn't yet >dovecot -- uw-imap did support, dovecot doesn't yet cyrus-imap does support it. We have had good success integrating it with squirrelmail also. >MUA -- no idea, as I don't use any of the ones RH ships >Mozilla -- efforts appear underway here >amanda -- not sure if upstream supports krb5 or just krb4 right now, but >kerberized backups are a requirement here > >For me, though, the biggest problem is the generic pam / glibc / moon phase >/ whatever interaction where RH and Fedora systems blow up badly, failing to >degrade back to existing local accounts, if a distributed information / >authentication (LDAP, krb, NIS) is down.... Any enterprise that's going >Kerberos, IMHO, can mostly work around the rest simply by pushing out more >functional software than what RH ships, but that one can be kinda a pain to >work around.... Yes. right now that is the biggest complaint with the RHEL-3/Fedora laptops is that they are useless if taken offline without a manual change of turning off LDAP+etc. -- Stephen John Smoogen smoogen@xxxxxxxx Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- You should consider any operational computer to be a security problem --
