Hi Rune,
Thanks so much for addressing all my questions.
Here's a couple further remarks.
On Mar 20, 2007, at 12:53 PM, [EMAIL PROTECTED] wrote:
1: Yes, it is reasonably strong (about as strong as you can do with
64 bits
keys)
2: Kerberos may still be preferable for other reasons, e.g.
sharing passwords with other systems like host login or something
else
using third-party tools for authentication record management
(password
changes, adding/deleting accounts)
reusing existing user authentication databases (doesn't seem to apply
in your case?)
I'm interested in users - which authenticate via an external LDAP
server on their workstations - having their homes mounted upon login
on the /coda filesystem. Does this mean this will only work with a
Kerberos-based authentication in Coda? From what you see, it appears
to be the case, though taking into account clog uses 64-bit
encryption, that'd be enough for me and I rather avoid setting up
Kerberos for now.
On a side note, I found a pam_coda module somewhere on the web,
written by Robin Gareus back in early 2000. What is the preferred way
nowadays to have such a setup going?
3: Kerberos 5 protocol is fully supported, but there are hardwired
limitations on how a Kerberos realm must be setup to make it useful
for a certain Coda realm, which makes sharing the authentication data
somehow troublesome, especially across administration domains.
I'd suggest using the "experimental" modular clog.
It is fully functional and quite extensively tested,
but still did not replace the old code in the distribution.
Hmm, how do I go about giving it a spin? I've been simply using the
Debian packages on the CMU Coda repository...
In my personal biased opinion the default Kerberos support code is
incomplete,
it relies on client-side configuration of clog/Kerberos.
In contrast, the modular uses a trivial service on the server
side so that the clients work with any realm having such a service,
talking to the corresponding Kerberos servers without any client-side
configuration.
Of course if a Coda realm does not announce its authentication setup,
(the modular) clog can always be configured / given explicit
command line
options to do the right thing.
Regards,
Rune
Cheers,
Paulo
