Date: Fri, 16 Feb 2001 14:43:09 -0600 From: "Jacques A. Vidrine" <n@nectar.com> To: Terry Lambert <tlambert@primenet.com> Cc: arch@FreeBSD.ORG Subject: Re: List of things to move from main tree to ports (was Re: Wish List (was: Re: The /usr/bin/games bikeshed again)) Message-ID: <20010216144309.D91104@hamlet.nectar.com> In-Reply-To: <200102162018.NAA07491@usr05.primenet.com>; from tlambert@primenet.com on Fri, Feb 16, 2001 at 08:18:09PM %2B0000 References: <Pine.NEB.3.96L.1010216125203.57795C-100000@fledge.watson.org> <200102162018.NAA07491@usr05.primenet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Feb 16, 2001 at 08:18:09PM +0000, Terry Lambert wrote: > > The problem with Kerberos is that it requires substantial integration into > > base system code that is very security-sensitive. If you move KerberosIV > > to a port without some form of integrating it into the base system while > > using base system {telnetd,ftpd,...} then people who do run Kerberos will > > suffer a great deal. > > In theory, PAM is supposed to permit programs to deal with this; > many people don't use other than the authentication portion of > PAM, but it seems that the API is there. No, this is really only for interactive authentication. One must be able to get a password to a PAM-using process, and of course you don't normally want to do this over the network. > It would be worthwhile to abstract this code to the point that > you could plug in Kerberos (or Heimdal), or something else, into > the programs that currently have non-modular Kerberos specific > code. Well, there is already GSSAPI and SASL. In fact, the telnetd and ftpd in src/crypto/heimdal use GSSAPI. Now that we have a GSSAPI implementation in the base system (Heimdal), we can work on bringing telnetd/ftpd/et al up to speed. Unfortunately, sshd uses its own security negotiation protocol which is incompatible with GSSAPI. Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010216144309.D91104>