abo@xxxxxx (Alexander Boström) writes: >> > kshd/klogind are fully encrypted if set up correctly... >> >> Setting up krb5 correctly without virtualization technology (e.g. vserver) >> or much money for extra hardware and powersupply is nearly impossible... >> Else, you will have only trouble with hostname vs. DNS name conflicts >> and/or multi-homed hosts. > > Arguing that Kerberos is useless/unusable/broken/whatever is futile. > It's not. It is impossible in the typical FC environment (2-3 hosts in a network, where one machine has 'www', 'ldap', 'imap', 'kerberos', 'db' alias-names). You will never get GSSAPI authentication with MIT kerberos running there. > It also cannot be replaced with SSH. I never said this... Just, that the FC kerberos can not be set up correctly within a vanilla FC environment. >> The shipped KRB5 implementation misses features like replication or support >> for renaming of principals; and the rest of the system misses krb5 support >> completely (cups, w3m, svn), nobody cares about it (e.g. no SPNEGO support >> in firefox because missing buildrequires) or its implementation is not >> well-thought (e.g. login for local accounts fails when network is down). > > Yes, this should be fixable. I'm mostly interested in Firefox and CUPS. > Are there bug reports already or should they be filed? afair, I filed the missing BR for firefox years ago already, it was fixed then but seems to be broken again. cups is an upstream issue; there are from time to time requests on the cups-devel list, but no results yet. For now, I replace KRB with SSH, and print with 'ssh trusted-host lpr'. >> ssh is much easier to use and provides neat features like encryption >> of X11 connections. > > Heimdal has secure X11 forwarding. Yes, Heimdal seems to be far superior to MIT Kerberos. It supports replication and has better AFS support (although I do not know if this is still an issue with recent, krb5-based OpenAFS). It is a puzzle why FC ships MIT Kerberos only... But I saw the man-page of BSD's implementation of kerberos... Support for TCP transport and tunneling over HTTP proxies... wow... I want to have this also... Enrico
