[EMAIL PROTECTED] (Ken Hornstein) writes:
>
> >I am confused by what people mean when they say "Kerberos
> >authenticated POP" in this thread. Do you mean "POP client sends
> >cleartext password to POP server which uses it to authenticate with
> >AFS Kerberos", or do you mean "POP client uses Kerberos service ticket
> >to authenticate securely with POP server"?
> >
> >I have the former. I am clearly looking for the latter.
>
> I believe that when people say "AFS Kerberos authenticated POP", they
> are talking about the former, because the latter is actually difficult
> to impossible.
We do both. On the kpop port we use the kerberos krbtgt created by
klog.krb, and on the pop port we use the cleartext password and
authenticate it against kaserver.
> >The only circumstance in which I think Kerberos authentication would
> >pose a performance problem is when the POP or IMAP server is obtaining
> >an AFS fileservice ticket in addition to simply authenticating with
> >Kerberos. This is harmful and unnecessary.
We do not get an AFS ticket. Not only does it open a pag, but it
serializes on access to kernel space (at least, it did under Solaris
2.4, we currently use AIX 4.1.5). We also check both the MIT and
Transarc string-to-key functions, but still have very good popper
performance.
--
Michael D. Sofka [EMAIL PROTECTED]
CIS Sr. Systems Programmer AFS/DFS, email, usenet, TeX, epistemology.
Rensselaer Polytechnic Institute, Troy, NY. http://www.rpi.edu/~sofkam/
