[4366] in Kerberos
Re: Help After Install
daemon@ATHENA.MIT.EDU (Anthony J. Lill)
Sat Dec 17 16:57:26 1994
To: gord@enci.ucalgary.ca (Gordon Matzigkeit)
Cc: kerberos@MIT.EDU
In-Reply-To: Your message of "Sat, 17 Dec 1994 07:24:11 GMT."
<GORD.94Dec17002411@enci.ucalgary.ca>
Reply-To: Tony.Lill@ajlc.waterloo.on.ca
Date: Sat, 17 Dec 1994 16:48:42 -0500
From: "Anthony J. Lill" <ajlill@ajlc.waterloo.on.ca>
>>>>> "Gordon" == Gordon Matzigkeit <gord@enci.ucalgary.ca> writes:
>>>>> "Brian" == Brian Mancuso <brianm@csa.bu.edu> writes:
Brian> Is there a specific portion of krb5 in particular that you
Brian> can't get to work? Perhaps by cooperation we can figure the
Brian> thing out...
Gordon> Kerberos on our machines is still vapourware, because I'm
Gordon> still trying to figure out if it's worth the (apparent)
Gordon> fuss. I think the main problem for me is the idea of
Gordon> kclients.
Gordon> What I'm beginning to think is that I'll have to replace
Gordon> every network tool (i.e. telnet/telnetd, rdump, ftp/ftpd,
Gordon> rsh, etc., etc.) in my OS with free (since our dept is out
Gordon> of $$$), and therefore generic, kerberized programs.
Well, yes, you will. All Kerberos gives you is an API and a couple of
servers that allow you to prove you are who you claim you are securely
in a hostile environment. To use that API any application that
requires authentication must be modified.
Gordon> What advantages can Kerberos offer me... is proof of
Gordon> identity and data integrity across hostile networks the
Gordon> only benefit?
That's all.
Gordon> How big and hostile does my network have to be, how
Gordon> tolerant do my users have to be, and how paranoid do I
Gordon> have to be to want Kerberos? (Is there a simple
Gordon> order-of-magnitude answer for this question?)
Compare the effort of replacing all your network programs with the
kerberized ones with the effort of recovering from a security
breach. As far as the users are concerned, they are still using
telnet, ftp, ... and shouldn't be aware of the fact that they are
calling Kerberos API's (unless you want to complicate your life and
use multiple realms)
--
Tony Lill, Tony.Lill@AJLC.Waterloo.ON.CA
President, A. J. Lill Consultants (519) 241 2461
539 Grand Valley Dr., Cambridge, Ont. fax/data (519) 650 3571
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"
