Re: Vino: proposal for inclusion in GNOME 2.8



On Tue, 2004-07-13 at 20:03 +0100, Keith Sharp wrote:

> >From browsing the archives of the Kerberos list at MIT, they seem to
> recommend using SASL if possible, then GSSAPI, and only krb5_* as a last
> resort.  

Yes, but those recommendations are for system daemons.  This is a
different case, really.

> I thought that if you added SASL support then you either got native
> Kerberos authentication through SASL/GSSAPI or, if your client didn't
> support GSSAPI, you used saslauthd and it took care of interacting with
> the system authentication bits for you.

No matter what you speak over the wire, you need to have underlying
support for the mechanisms.  With regular (not user-to-user) Kerberos
(via GSSAPI), you need a service key.  Then users have to explicitly
initialize the service key with a new password.  If you use the same
password for the service key, then the service key is the same as the
user's key (since a Kerberos key is derived from the password).
Avoiding all that is the reason Kerberos 5 supports user-to-user
authentication.

You could speak SASL for the exchange, but again it doesn't buy you much
since you can't really use any of the existing mechanisms from SASL
libraries like Cyrus.  You can run a local saslauthd on client machines
- but what is that going to do?  At least the model I am thinking about
is one where a client has root access on their machine, so you can't
just ship a copy of your company's shadow password file on each machine
for saslauthd to use :)

> > I think the whole point of user-to-user is to not have to create a
> > service principal for each user, and distribute the service key or the
> > password for it to each client machine.
> 
> Ah, I see. Needs more investigation on my part.
> 
> One other thing I forgot to mention, at some point Kerberos support
> would need to be added to vncviewer as well, other wise it is all a bit
> pointless.  I haven't looked at the source for vncviewer to see how much
> work this would be.

Yeah.  I think the X source has some Kerberos user-to-user bits that
could be used as an example.

Attachment: signature.asc
Description: This is a digitally signed message part



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]