Well, AD *is* Kerberos, but it's another matter entirely to manage the configuration of Kerberos on the UNIX clients. If someone doesn't have support for it today, adding it is non-trivial.
OTOH, it isn't that hard, once you understand how the peices fit together. Certainly, being able to help clients leverage this is a valuable service to offer. On Thu, Jun 10, 2010 at 11:45 PM, Baldwin Sung 宋志瑞 <[email protected]>wrote: > The closest thing to Kerberos at one client is Active Directory. > > On Jun 10, 2010, at 11:41 PM, Phillip Moore wrote: > > > Oh, I'm not dropping PAM. It's perfectly reasonable as coded. > > The issue is just the password caching. The code's there, and it works, > but I'd prefer NOT to do something that makes security pros scoff at us. > > Baldwin, do you have kerberos infrastructure you can leverage in your > environment? > > On Thu, Jun 10, 2010 at 11:36 PM, Baldwin Sung 宋志瑞 <[email protected]>wrote: > >> IMHO, the next version of EFS should only support Kerberos. If anybody >> wants to keep the password caching, stay with the current version of EFS. >> Keep the PAM support, who knows what else might be plugged in later on. >> >> On Jun 10, 2010, at 11:26 PM, Phillip Moore wrote: >> >> > Now that we have Kerberos authentication, I don't want to rip out the >> PAM support, since non-Kerberos enabled sites should be to use EFS. >> > >> > But, given the ugliness and complexity of the password caching code, and >> the fact that every last security expert won't like it (and we don't have >> much grounds to argue with them), why not just trash it? >> > >> > IOW, you'll still be able to authenticate password in efsd via PAM, but >> the client will require you to submit the password every time, instead of >> caching it (or attempting to) in ~/.efsconfig. >> > >> > Thoughts? >> > >> > _______________________________________________ >> > EFS-dev mailing list >> > [email protected] >> > http://mailman.openefs.org/mailman/listinfo/efs-dev >> >> _______________________________________________ >> EFS-dev mailing list >> [email protected] >> http://mailman.openefs.org/mailman/listinfo/efs-dev >> > > _______________________________________________ > EFS-dev mailing list > [email protected] > http://mailman.openefs.org/mailman/listinfo/efs-dev > > > > _______________________________________________ > EFS-dev mailing list > [email protected] > http://mailman.openefs.org/mailman/listinfo/efs-dev > >
_______________________________________________ EFS-dev mailing list [email protected] http://mailman.openefs.org/mailman/listinfo/efs-dev
