From owner-freebsd-questions Tue Mar 17 17:11:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA13596 for freebsd-questions-outgoing; Tue, 17 Mar 1998 17:11:18 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from maila.telia.com (root@maila.telia.com [194.236.189.4]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA13589 for ; Tue, 17 Mar 1998 17:11:11 -0800 (PST) (envelope-from girgen@partitur.se) Received: from d1o29.telia.com (root@d1o29.telia.com [194.236.214.241]) by maila.telia.com (8.8.8/8.8.8) with ESMTP id CAA18060 for ; Wed, 18 Mar 1998 02:11:01 +0100 (CET) Received: from partitur.se (t3o29p79.telia.com [194.236.215.79]) by d1o29.telia.com (8.8.4/8.8.5) with ESMTP id CAA06505 for ; Wed, 18 Mar 1998 02:10:58 +0100 (MET) Message-ID: <350F1F01.11EDF46D@partitur.se> Date: Wed, 18 Mar 1998 02:10:25 +0100 From: Palle Girgensohn Organization: Partitur X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.5-STABLE i386) MIME-Version: 1.0 To: questions@FreeBSD.ORG Subject: Re: Kerberos basic questions References: <3.0.1.32.19980318000926.007bb7b0@posta.cisco.it> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello Antonio, Not sure if this helps, but anyway: Antonio Nati wrote: > > I'm trying to figure how to use kerberos in my environment. > > I have three WEB servers and a PPP server (all with FreeBSD 2.1.5), and I > would like to have only one authentication service for all the boxes. > > As far as I'm seeing in my first 2.2.5 installation, kerberos doesn't > manage at all all the supplemental information (uid, gid, home, etc) that > are essential to define an user. > > So I imagine that I should anyway create new users with adduser on any > system where they should work, adding them later to the kerberos database > and using kerberos only to assure them fast logins on the various systems. > Is that right? > > Other three questions. > > 1) Is there any kerberos mechanism in the last versions of apache? Check http://andrew2.andrew.cmu.edu/minotaur/ . Carnegie-Mellon has a Kerberos plugin for Netscape & MSIE. Not sure about Apache, but it can be done by a handy C programmer. You need to know the inner secrets of how to get the tickets from the plug-in... I guess it won't be easy. :( > > 2) Is the usage of Kerberos completely transparent or the programs must be > modified in order to use it? The LOGIN options of the pppd server is going > to check the kerberos database or it simply checks against the passwd file? > All programs must be kerberized. Don't know if this has been done to the pppd. Besides, you probably can't use kerberos to authenticate ppp users since it requires a UDP connection (you should be able to use the Kerberos database, however. However, I'm no expert at the subject. Used Kerberos as a user a couple of years ago. > 3) Given the fact that I have a small amount of POP users already working, > how to populate the kerberos database starting from the existing passwd > file (and passing from MD5 to DES)? > If all you have are ppp users using pop, there's no real need for Kerberos; the passwords don't travel the net? At least not more than your ethernet segment. I'd save myself the trouble. Regards, Palle /Palle To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message