On Mon, 2004-05-10 at 23:13, Havoc Pennington wrote: > Hi, > > Something we've wanted to do for a long time is create a matrix of > programs that should support Kerberos authentication, and start checking > them off. I guess this includes both client-side and server-side. > > Does anyone have a good start on this? > > Any real-world experience/scenarios where Kerberos support was needed > and not available? (Which things should be Kerberized first?) My home network is completely Kerberized, and runs ontop of IPv6 + IPSec... A lot of programs do already suppport Kerberos but, of course, there are still programs that don't support some of these technologies. For example: * cyrus-imapd supports Kerberos, since it uses cyrus-sasl, but does not still support IPv6. * evolution does support Kerberos and IPv6. * OpenLDAP supports Kerberos and IPv6. * OpenSSH does support Kerberos and IPv6. * AFAICT, Apache does not still supoort Kerberos, but does support IPv6. This would be interesting. * AFAICT, Squid does not still support Kerberos. * IIRC, ncftp and lftp don't support Kerberos, but do support IPv6 * The ftp command line tool that comes with krb5-workstation does support Kerberos, but not IPv6. * The telnet commnand line tool that comes with krb5-workstation does support Kerberos plus IPv6, with encrypted sessions. * IIRC, cups has some patches to add Kerberos support, but I think they are not included upstream. These are mainly the programs I use daily on my home network. I think Apache and Squid should be immediately Kerberized, as well as cups. They are basic infrastructure software.
