[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Future of kerberised telnet, login, rsh, ftp?



On Wed, 2005-07-06 at 14:22 +1000, Brian May wrote:
> >>>>> "Andrew" == Andrew Bartlett <abartlet@samba.org> writes:
> 
>     Andrew> I note that recent security advisories for both
>     Andrew> distributions were in these 'utility' programs (telnet,
>     Andrew> ftpd etc) rather than in the core kerberos code.
> 
> I don't use telnet, rsh, ftpd any more. I generally use ssh, sftp, etc
> instead. I feel safer using these tools, because I think security bugs
> will be found faster in ssh, as it gets more use, and hence more
> inspection, then the tools in Heimdal (not that openssh doesn't get
> its fair share of security bugs).
> 
> There is also the pop server. It is the only server I know of that
> supports Kerberos, at least in Debian. However, I only know of one
> client in Debian that supports Kerberos (or so it claims[1]), a client
> I don't use myself, and I tend to use courier-imap anyway.
> 
> I do think accessing mail via Kerberos would be a good idea, instead
> of entering a password each time... Not to mention being able to
> authenticate to web servers using Kerberos a Kerberos ticket already
> obtained at log in. Then again i am getting off topic.

SASL covers most of this problem, and as I understand it, it is a far
more standard solution than kpop.  I don't know if the mail clients and
server use the sign/seal end or just the authentication, but I certainly
see GSSAPI as a supported password type for evolution.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part