In article <[email protected]>, Russ Allbery <[email protected]> wrote:
>The correct way of using Kerberos is for the user's credentials to never >leave the local system. In practice, it's an ideal that usually can't be >reached, but every place where the Kerberos password leaves the local >system and is validated on a remote system is a place that's going to >break when you want to switch to something better than passwords, such as >smart-card authentication. On our systems, we require users to have two distinct passwords: their Kerberos password, which is only used for login-equivalent authentication and certificate generation, and their "email" password, which is used by the IMAP server (Cyrus), the outgoing mail relay (Exim), and the XMPP server (eJabberd). Doing this for IMAP was necessary in order to support webmail, and having done so, it made sense to piggyback other applications requiring non-login password authentication on the IMAP passwords. I don't know how many users have ended up changing their two passwords to be the same (we discourage that but we don't have a mechanism to prevent it), but we ensure that they at least start out different. Since no commonly-used XMPP clients support GSSAPI authentication, we have not looked seriously at supporting it on the server side. We do support it for email. -GAWollman (in this case writing from, but not for, MIT CSAIL) -- Garrett A. Wollman | What intellectual phenomenon can be older, or more oft [email protected]| repeated, than the story of a large research program Opinions not shared by| that impaled itself upon a false central assumption my employers. | accepted by all practitioners? - S.J. Gould, 1993 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
