On Thursday, December 28, 2000 10:39:40 AM -0800, Michael Pelletier
<[EMAIL PROTECTED]> wrote:
+-----
| I'd like to get to the point where I'd be able to deploy kerberized and
| encrypted telnet, rlogin, IMAP, ssh, VPN access, and so on, but I'm not
| clear on whether AFS's kaserver is sufficient for this. I get the
| impression that it's not sufficient, due to the fact that the
| ticket-granting-ticket is discarded after the AFS token is acquired... Is
| this correct?
+--->8
No, because that's not a function of the kaserver. It's a function of the
klog program. Use klog.krb, MIT Kerberos with kinit+aklog/cklog, or KTH
Kerberos or Heimdal with kinit+afslog or kauth.
Where the kaserver falls short is that generating srvtabs for e.g.
Kerberized telnet is painful and can be impossible with some versions of
AFS. In this case you may want to use a real KDC in place of kaserver.
| Would I be better off with Kerberos 4 or 5 in the long run?
+--->8
In the long run, Kerberos 5.
| Also, does the Kerberos realm have to match the DNS domain name of the
| machines in the realm?
+--->8
No, but it simplifies things when accessing machines from outside the
domain.
--
brandon s. allbery [os/2][linux][solaris][japh] [EMAIL PROTECTED]
system administrator [WAY too many hats] [EMAIL PROTECTED]
electrical and computer engineering KF8NH
carnegie mellon university ["better check the oblivious first" -ke6sls]
