Thanks for your thoughts, here's a little more based on
them and my understanding.
Other than the native OS login, Kerberos is the only other
authentication means that I know of to provide access
at OS login. If I'm correct then I'm answering my
own question and everything could be TGT centric.
I've been a Kerberos advocate for awhile
but I don't see a comprehensive solution coming
together on technical merit alone. I can have independent
authentication in each :( or pick one as more centric
over the other. I'm no expert and have found very
little on this theme, but let me attempt a draft of a
simplified matrix that can illustrate where I'm coming
from and from what I hear you saying:
PKI KERBEROS
REQUIREMENT IETF CENTRIC CENTRIC
Authentication krb-wg? Kerberos-PKINIT Kerberos-"k5cert"
(Heimdal) (MIT)
Certificate pkix RSA SSL CA-via ?
(OpenCA) (OpenCA)
Encryption smime GnuPG->S/MIME GnuPG->S/MIME-via ?
(Mozilla) (Mozilla)
Hashing pkix SHA1SUM SHA1SUM -N/A
(GNU) (GNU)
IP ipsec IPSEC IPSEC-via ?
(FreeSWAN) (FreeSWAN)
Shell secsh RSA gss-keyex
(OpenSSH) (OpenSSH)
Transport tls RSA gss-keyex
(OpenTLS) (OpenTLS)
I'm guessing at some of the above, how would you do it?
It appears authentication is key to the whole model.
The technology deployed not necessarily the product in
parenthesis is what I'm concerned with which I've
obviously gravitated toward Open Source solutions.
Open Source tools I've found to work great for proof
of concept particularly with the above requirements
from the user and technical gray. Globus has a FAQ
that also illustrates what I'm looking for and I might
pursue their GSI module:
"PKINIT, which can generate a Kerberos TGT from a certificate, is being worked on in the IETF and the final solution will be implemented in the reference version of MIT Kerberos. This is expected to take about 1 year. W2000 has implemented an early version of this work. Pending availability of the final standard, Globus have implemented extensions to an MIT Kerberos KDC, called SSLCD-SSLK5. This allows a client to connect to gatekeeper with a delegated proxy certificate and then use globus services on that systems which are configured using Kerberos v5. This can avoid the need for separate Globus processes when Kerberos processes are already available.
The reverse capability of generating a Globus Proxy Certificate from a Kerberos v5 TGT is provided by the Globus K5cert software. The source code needs to be linked with the MIT Kerberos libraries, but does not require extensions to the KDC. This functionality can provide SSO for both a Kerberos v5 and Globus environment, provided the CA of the proxy certificate is trusted by other Globus sites."
Thoughts, experiences?
cs
