On Mar 8, 11:58am, "James F.Hranicky" wrote: } Subject: Re: Password expiration
Good morning to everyone, I hope that this note finds your week going well. > Yes, much more I-dotting and T-crossing. Plus, I have little control > over remote sites, which is really the whole point. > In the end, without clients that make it easy, and without having > *everything* Kerberized (meaning something still has to send the > username/password over the network, albeit over an encrypted > channel), I'm not going to be in a hurry to push Kerberized clients > on my userbase. Turning off telnet 6 years ago in favor of SSH > causes all sorts of headaches for people behind corporate firewalls, > and I'm in no hurry to do that again unless a nice, user-friendly > packaged solution exists, and all my remote users have to do is ask > remote network admins to allow Kerberos through. > However, I'm not opposed to slowly working on such solutions, in > fact, I see it as critical for widespread Kerberos acceptance (apart > from what's in Win2K, in which little seems to be Kerberized). It > may amount to little more than writing some library code that can be > dropped relatively easily into as many clients and servers as > possible to make Kerberizing applications easy. It may amount to > more than that, but hey, that's why we're having this conversation > :-> I guess a good start would be anything using SASL (postfix, for > one) because it already has code for GSSAPI auth. > So, where do we begin? SASL? Hmmm...sylpheed, courier, and postfix > all use or can use sasl...hmmm... I'm actually very interested in helping getting some momentum behind a project such as this. I've been working on middleware architecture and infrastructure design and development for the last 5-7 years and I'm convinved that this is an area that needs serious attention in order for secure and manageable OSS solutions to continue, let alone, accelerate penetration into the enterprise. At this point its pretty clear to me that something on the order of a significant open-source project is the only thing that is going to make something like this happen. There are a bunch of tools and work that need doing that I think pretty much only technical people understand. So if there is a group that would be interested in coordinating efforts to develop strategies for getting all this stuff usable I would be definitely interested in collaborating. As other people have mentioned up to this point anyone who has had to do major deployments of Kerberos/LDAP have ended up rolling their own custom solutions. I would think that there is enough commonality of need to develop an open-source suite which can attack this problem space. I have watched with considerable interest the Liberty Alliance project, Shibboleth and a gamut of other middleware initiatives. Unfortunately what I see from the trenches are very few organizations which have even the remotest hope of deploying the type of infrastructure needed to make these types of initiatives possible. Unfortunately all of this starts from the basics and unless there are some pretty fundamental tools available none of this stuff is going to get traction. > Jim Best wishes for a pleasant start of the week. }-- End of excerpt from "James F.Hranicky" As always, Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC. 4206 N. 19th Ave. Specializing in information infra-structure Fargo, ND 58102 development. PH: 701-281-4950 WWW: http://www.enjellic.com FAX: 701-281-3949 EMAIL: [EMAIL PROTECTED] ------------------------------------------------------------------------------ "Some of them are. A surprising number aren't. A personal favorite of mine was the log from a cracker who couldn't figure out how to untar and install the trojan package he'd ftped onto the machine. He tried a few times, and then eventually gave up and logged out." -- Nat Lanza ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
