Date: Fri, 16 Feb 2001 14:43:09 -0600 From: "Jacques A. Vidrine" <n@nectar.com> To: Terry Lambert <tlambert@primenet.com> Cc: arch@FreeBSD.ORG Subject: Re: List of things to move from main tree to ports (was Re: Wish List (was: Re: The /usr/bin/games bikeshed again)) Message-ID: <20010216144309.D91104@hamlet.nectar.com> In-Reply-To: <200102162018.NAA07491@usr05.primenet.com>; from tlambert@primenet.com on Fri, Feb 16, 2001 at 08:18:09PM %2B0000 References: <Pine.NEB.3.96L.1010216125203.57795C-100000@fledge.watson.org> <200102162018.NAA07491@usr05.primenet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Feb 16, 2001 at 08:18:09PM +0000, Terry Lambert wrote:
> > The problem with Kerberos is that it requires substantial integration into
> > base system code that is very security-sensitive. If you move KerberosIV
> > to a port without some form of integrating it into the base system while
> > using base system {telnetd,ftpd,...} then people who do run Kerberos will
> > suffer a great deal.
>
> In theory, PAM is supposed to permit programs to deal with this;
> many people don't use other than the authentication portion of
> PAM, but it seems that the API is there.
No, this is really only for interactive authentication. One must
be able to get a password to a PAM-using process, and of course you
don't normally want to do this over the network.
> It would be worthwhile to abstract this code to the point that
> you could plug in Kerberos (or Heimdal), or something else, into
> the programs that currently have non-modular Kerberos specific
> code.
Well, there is already GSSAPI and SASL. In fact, the telnetd and
ftpd in src/crypto/heimdal use GSSAPI.
Now that we have a GSSAPI implementation in the base system (Heimdal),
we can work on bringing telnetd/ftpd/et al up to speed. Unfortunately,
sshd uses its own security negotiation protocol which is incompatible
with GSSAPI.
Cheers,
--
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010216144309.D91104>