[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos/LDAP/SASL central authentication server howto



On man, 2004-08-09 at 19:59, Andreas wrote:
> On Mon, Aug 09, 2004 at 02:38:21PM +0200, Tarjei Huse wrote:
> > ?? I didn't know , sorry. Please tell me more on how I can use GSSAPI instead of
> > tls to secure not only authentication but everything that happens over the
> > wire.
> 
> It really depends on the client tool. Not only does GSSAPI provide this, DIGEST-MD5
> also.

Hi, 

Thanks a lot (to Marcus and Love as well) for the explanation!


Tarjei

> 
> Examples of such tools that I'm 100% aware of are ldapsearch and mutt when doing SASL
> authentication.
> 
> With ldapsearch, for example:
> $ ldapsearch -h ldap.server | head -5
> SASL/GSSAPI authentication started
> SASL username: andreas@DISTRO.CONECTIVA
> SASL SSF: 56  <---------- encrypted channel (only 56 bits though)
> SASL installing layers
> (...)
> 
> With digest-md5:
> $ ldapsearch -h ldap.server -Y digest-md5 | head -5
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> SASL username: andreas
> SASL SSF: 128  <---------------------
> SASL installing layers
> (...)
> 
> But Kmail, for example, even though supporting DIGEST-MD5, does not encrypt the
> rest of the traffic. That is, it doesn't request this additional layer of
> security.