On Mon, Apr 02, 2007 at 10:12:40AM -0700, Adam Megacz wrote: > > Davor Ocelic <[EMAIL PROTECTED]> writes: > >> 2. Do we really need separate identities for separate machines? My > >> understanding was that the whole service/[EMAIL PROTECTED] convention > >> was for preventing man-in-the-middle attacks for things like > >> kerberized telnet. If we're only using kerberos in order to > >> support AFS, I don't know if it's really necessary. > > > > We use kerberos for everything? > > I'm having trouble parsing this. > > We don't use kerberos for: http, telnet, pop3/imap, or (AFAICT) any > TCP-based protocol. As far as I can tell, we use it only for PAM and > AFS. I'm okay with it staying this way; anything that needs to check > user passwords should be using PAM.
Yes, only for PAM and afs, but since the kerberos module is added to /etc/pam.d/common-* files, all services that support PAM automatically use kerberos. (and basically all services except sudo and similar just include common-* files). _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
