On Tue, 2012-10-09 at 15:29 +0200, Lennart Poettering wrote:
> On Mon, 08.10.12 21:00, Ray Strode (halfl...@gmail.com) wrote:
> 
> > Hi,
> > 
> > On Mon, Oct 8, 2012 at 1:07 PM, Lennart Poettering <mzerq...@0pointer.de> 
> > wrote:
> > 
> > > Correct. Note that this is not accessible at all, by default, and mostly
> > > a preview for now. Later on we will add http digest auth and proper TLS
> > > support (including client certs) if people want to control
> > > access. (thankfully, libmicrohttpd already implements auth+tls, so this
> > > is easy for us to provide).
> > I think negotiate-auth would be a really good feature here, since many
> > enterprise deployments use kerberos based SSO in their intranets.
> 
> well, this is really computers authenticating against computers, not
> users against computers. Hence I think kerberos/SSO is not really the
> most appropriate logic, since it's very user-bound, no?

Not *at all*, each computer has it's own principal and keytab and can
use it to do mutual authentication to one another.
Although if possible I would support also using a syslog specific keytab
instead of using the host/fqdn one so that people can decide to give the
journal daemon access to a less sensitive key and not the main
credentials.
We can easily provision that service key to clients via FreeIPA if the
feature is used there.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Reply via email to