Hi,
In my company, we're pitching a Kerberos-based solution to authenticate tens of
thousands of Linux users to Active Directory. To increase the likelihood of
approval by the higher-ups, we really need to eliminate all perceived security
holes.
Although preauthentication helps some, Kerber
Hi,
In my company, we're pitching a Kerberos-based solution to authenticate tens of
thousands of Linux users to Active Directory. To increase the likelihood of
approval by the higher-ups, we really need to eliminate all perceived security
holes.
Although preauthentication helps some, Kerber
On Wed, Jun 15, 2005 at 02:04:19PM +, [EMAIL PROTECTED] wrote:
> AS-REQ. I saw some discussion about this from a few years ago in the
> archives, but nothing recently. Is there a solution to this issue
> yet? If not, what progress has been made, and what direction is being
If I remember cor
[EMAIL PROTECTED] wrote:
>> If I remember correctly, the advice given back then was:
>> - use hardware authentication
>> - use SRP (a patent discussion followed)
>> - implement a strong password policy
>
>
> We have thousands of users to manage, so we're looking for
> a solution which is pretty m
Tunneling sounds like the best option.
We have over 500 Windows 2000 and Windows 2003 domain
controllers (KDCs in Active Directory), that we don't want to have
to modify or install new software on. These domain controllers
(KDCs) do have SSL properly configured, so I suppose, we could
tunnel the
[EMAIL PROTECTED] wrote:
> Tunneling sounds like the best option.
>
> We have over 500 Windows 2000 and Windows 2003 domain
> controllers (KDCs in Active Directory), that we don't want to have
> to modify or install new software on. These domain controllers
> (KDCs) do have SSL properly configure
[EMAIL PROTECTED] wrote:
> Tunneling sounds like the best option.
>
> We have over 500 Windows 2000 and Windows 2003 domain
> controllers (KDCs in Active Directory), that we don't want to have
> to modify or install new software on. These domain controllers
> (KDCs) do have SSL properly configur
We're not using kinit. We're basically writing our own progams
built on the Kerberos libraries. However, I've looked at the source
code to kinit when I was learning how to use the MIT libraries, and
it would not be hard to modify.
Kerberos mailing
There is PKINIT also.
We did a "sslk5" in 1999 to use SSL authenticaiton to a KDC, then return
an unencrypted ticket protected by SSL to the client. In this case the
user was using X509 certificates for authenticaiton and no password. It
was last updated for krb5-1.2.2 and OpenSSL-0.9.6. It can b
Brian, the earlier suggestion to use IPsec to your servers sounds
like an elegant approach, but sounds like you may have rather
too many client machines to make this practical.
As a much simpler alternative, and one that is SSL based (and hence
X.509 cert public key encryption based for easy depl
[EMAIL PROTECTED] wrote:
Brian, the earlier suggestion to use IPsec to your servers sounds
like an elegant approach, but sounds like you may have rather
too many client machines to make this practical.
As a much simpler alternative, and one that is SSL based (and hence
X.509 cert public key encr
11 matches
Mail list logo
