On Tue, 2012-10-09 at 15:29 +0200, Lennart Poettering wrote: > On Mon, 08.10.12 21:00, Ray Strode (halfl...@gmail.com) wrote: > > > Hi, > > > > On Mon, Oct 8, 2012 at 1:07 PM, Lennart Poettering <mzerq...@0pointer.de> > > wrote: > > > > > Correct. Note that this is not accessible at all, by default, and mostly > > > a preview for now. Later on we will add http digest auth and proper TLS > > > support (including client certs) if people want to control > > > access. (thankfully, libmicrohttpd already implements auth+tls, so this > > > is easy for us to provide). > > I think negotiate-auth would be a really good feature here, since many > > enterprise deployments use kerberos based SSO in their intranets. > > well, this is really computers authenticating against computers, not > users against computers. Hence I think kerberos/SSO is not really the > most appropriate logic, since it's very user-bound, no?
Not *at all*, each computer has it's own principal and keytab and can use it to do mutual authentication to one another. Although if possible I would support also using a syslog specific keytab instead of using the host/fqdn one so that people can decide to give the journal daemon access to a less sensitive key and not the main credentials. We can easily provision that service key to clients via FreeIPA if the feature is used there. Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
