-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Mar 07, 2008 at 11:01:10AM +0100, Kurt Gramlich wrote: >* Jonas Smedegaard <[EMAIL PROTECTED]> [080307 01:54]: >> I have chosen to backport 2.0 despite the ejabberd Debian maintainer >> favoring the older 1.4.x version, due to its PAM support (I want all >> services at my networks to authenticate and authorize through PAM, to >> simplify both maintainance and user experience). > >Good point!
Well - it might actually be good to also mention the backside of such approach: Single login+password for all services obviously means that if access to one service leaks then access to all services has leaked. Many chat clients are _very_ relaxed in storing passwords. Like storing cleartext in a world readable config file. So unification of auth(z) should be coupled with encrypting all communication channels[1] and educating users about either picking only sane tools or frequently change password. This is possibly getting off-topic for debian-edu, but hey - OLPC in general is off-topic too IMHO ;-) - Jonas [1] I so far found no way to enforce TLS (it does fallback to cleartext) so also re-enabled the deprecated SSL channel in my ejabberd build (the Debian maintainer has disabled it in recent releases) and offered only that channel to my users. - -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ - Enden er nær: http://www.shibumi.org/eoti.htm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH0ThZn7DbMsAkQLgRAieDAJ9QdqMnY+d97VZJdVzBsK6EFtDq7QCfRF74 3sCgPL7ZYn+5FTED4ELvkjw= =HXj7 -----END PGP SIGNATURE-----
