[32033] in Kerberos
Re: kerberos and smartphone clients
daemon@ATHENA.MIT.EDU (Nikolay Shopik)
Tue Feb 9 09:42:52 2010
Message-ID: <4B710DB9.4090705@inblock.ru>
Date: Tue, 09 Feb 2010 10:24:41 +0300
From: Nikolay Shopik <shopik@inblock.ru>
MIME-Version: 1.0
To: Luke Scharf <luke.scharf@clusterbee.net>, kerberos@mit.edu
In-Reply-To: <4B708636.9080005@clusterbee.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 09.02.2010 0:46, Luke Scharf wrote:
> Nikolay Shopik wrote:
>> Hello everyone,
>>
>> I'm in middle of process making my mail server Kerberized. Currently
>> my infrastructure is only password based, but I plan move to PKINIT
>> thus using certificate based authentication. Afterward I though about
>> my smartphone clients who use email on their phones this is
>> exclusively iPhone users.
>> So this makes me think I should leave regular password based
>> authentication for these mobile clients, which isn't great because you
>> have to manage two separate db for logins/passwords. In same time I
>> though every mobile phone have smart card already which is SIM card,
>> there even EAP-SIM allowing use it to authenticate to wireless
>> networks. So what best way to accomplish this task, without making
>> huge pain when managing logins/passwords?
>
> You can have PAM check the password that they enter against the Kerberos
> database. That way, they can either enter the Kerberos password -- or,
> if they have a Kerberos ticket, they will be authenticated
> automatically. This is how my mailserver at home is configured.
>
> In some cases, you might need to configure your mailserver use SASL
> instead of PAM to check the entered-password against the Kerberos
> password-database. If you have your mailserver configured such that the
> users don't show up in "getent passwd", then you'll probably need SASL.
> But if they do show up as Unix users, PAM can easily work as the backend.
> -Luke
>
You mean PAM on client? This won't work for me most clients running
Windows and few Mac OS X. And I use virtual users so they don't show up
in getent passwd.
So for now I have only one option run plain text password db along with
Kerberos for users who wish login into mail server using their smartphone.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
