Just because I know readers of this list have been following the GSSAPI Key
Exchange saga over the last 9 years, I thought the following mail from
OpenSSH's bug tracking system might be of interest.
I still believe that their argument is bogus, and I will continue to maintain
the OpenSSH key ex
On 09.02.2010 18:08, Luke Scharf wrote:
> If you're using virtual users on the e-mail server, then saslauthd can
> be configured to attempt to log in to Kerberos to see if the password is
> valid instead of PAM. This is an application-level way to check
> credentials, as opposed to a system-level
On 9 Feb 2010, at 15:24, Ken Raeburn wrote:
> The idea has been kicked around before, and I believe one variant
> (registering a new host principal over a kadmin session protected by
> anonymous PKINIT) has been tried out in MIT's current development code.
What we do here is require the input
On Feb 9, 2010, at 05:17, Guillaume Rousse wrote:
> However, this is still a bit painful, as it can't be included in
> automatic installation scenarios, for instance. And requires us to track
> information for each user, which doesn't prove to be very useful. I was
> wondering of the security im
On 09.02.2010 18:08, Luke Scharf wrote:
> If you're using virtual users on the e-mail server, then saslauthd can
> be configured to attempt to log in to Kerberos to see if the password is
> valid instead of PAM. This is an application-level way to check
> credentials, as opposed to a system-level
Nikolay Shopik wrote:
> You mean PAM on client? This won't work for me most clients running
> Windows and few Mac OS X. And I use virtual users so they don't show
> up in getent passwd.
>
> So for now I have only one option run plain text password db along
> with Kerberos for users who wish logi
Hello list.
In order to allow our users to set up their own machines for kerberized
NFS, we deployed a custom CGI application allowing them, once
autenticated, to create nfs/hostname principals, and extract
corresponding keytab file. As part of the process, they register
themselves as owner of
On 09.02.2010 0:46, Luke Scharf wrote:
> Nikolay Shopik wrote:
>> Hello everyone,
>>
>> I'm in middle of process making my mail server Kerberized. Currently
>> my infrastructure is only password based, but I plan move to PKINIT
>> thus using certificate based authentication. Afterward I though abou
