[Gllug] LDAP and Kerberos

[Nix]

On Tue, 31 Jan 2006, Dani Pardo announced authoritatively:
>   I've readen that this protocol was written on the 80's, the v2 and
>   v3 were bloated, and v4 had security flaws. So v5 should be
>   considered *the* kerberos. What surprises me is.. does it really has
>   been Microsoft the first to make a *broad deployment* of Kerberos
>   with AD? Or I've been living under a rock?

All of MIT and all of Stanford are quite broad. And boyoboy do they
satisfy the `untrusted networks' and `untrusted clients' criteria. ;)

(the good fit to MIT's needs is hardly shocking given where Kerberos was
developed.)

>   I mean, I have the impression that has always been here, and now
>   it's not as easy as adding pam-kerberos to /etc/pam.d/* and "Voila!
>   Single sign on and cental authentication!". Or is there any project
>   going into that direction?

Kerberos will never be that simple to install. It's not that simple
to install on Win2K, for goodness' sake.

It's complex because truly paranoid security is a complex thing, with
lots of questions that need to be answered.

Have a nice intro to Kerberos in the form of a dialogue between Athena
and Euripides. I found that it explains many of the design tradeoffs and
the reasons for Kerberos's at-first-sight byzantine complexity very
well: <http://web.mit.edu/kerberos/www/dialogue.html>.

-- 
`I won't make a secret of the fact that your statement/question
 sent a wave of shock and horror through us.' --- David Anderson
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug