[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authorization



In message <t4iogcjqrd1.fsf@silas-1.cc.monash.edu.au>, Brian May writes:
+-----
| What are tacacs+/xtacacs/radius? Ares these any good as authorization
+--->8

They are authorization protocols used by dialup routers and the like.  Yes, 
free versions are available, at least for RADIUS and TACACS (not sure about 
TACACS+).

| Also, what is wrong/insufficient with authorization directly based on
| the principle's identity? (I assume programs supplied with Heimdal fall
+--->8

Every principal in the KDC is allowed to log in, and there's no way to 
specify privilege level.

Authentication:  "this user is who s/he claims to be"
Authorization:  "this user is permitted to do these things"

Kerberos only provides the former (well, barring the w2kproblem 
"extensions").  You want to have the latter as well as the former, unless 
you really want every principal in your KDC to have administrative access to 
your router.

-- 
brandon s. allbery	   os/2,linux,solaris,perl	allbery@kf8nh.apk.net
system administrator	   kthkrb,heimdal,gnome,rt	  allbery@ece.cmu.edu
carnegie mellon / electrical and computer engineering			kf8nh
    We are Linux. Resistance is an indication that you missed the point.