From: "Mantas Mikulėnas" <grawity@gmail.com>
To: gtaylor@tnetconsulting.net
Cc: tuhs@minnie.tuhs.org
Subject: Re: [TUHS] YP / NIS / NIS+ / LDAP
Date: Tue, 6 Nov 2018 09:07:31 +0200 [thread overview]
Message-ID: <CAPWNY8UG9T32hme5bvtcmrFd3YYdXzNnPJK4J56zhBxBr=-MUA@mail.gmail.com> (raw)
In-Reply-To: <7d595808-fff7-4c1c-d969-362693ab2672@spamtrap.tnetconsulting.net>
[-- Attachment #1: Type: text/plain, Size: 2669 bytes --]
On Tue, Nov 6, 2018 at 8:40 AM Grant Taylor via TUHS <tuhs@minnie.tuhs.org>
wrote:
> On 11/05/2018 03:34 PM, Dan Cross wrote:
> > You can use a modified `login` that will validate you against a KDC.
>
> ACK
>
These days the modification generally consists of pam_krb5 added to the
system's PAM configuration.
> > Modifications have been made to e.g. SSH so that one can authenticate an
> > SSH session via GSSAPI, which usually wraps Kerberos. If I recall,
> > GSSAPI might be one of the lasting legacies of the DCE, though I may be
> > misremembering history.
>
> *nod*
>
And similarly – in other protocols (IMAP, SMTP, IRC, the same LDAP) one can
authenticate a session via SASL, which usually wraps GSSAPI, which usually
wraps Kerberos.
> Kerberos solves the authentication problem, but does not provide a
> > directory service nor does it solve the authorization problem (though
> > some "kerberized" services could use a library to consult a
> > user-provided file of ACLs mapping principals to privileges). On Unix,
> > "authorization data" includes things like your UID and the set of groups
> > you belong to (or more precisely, your process's UIDs and GIDs/groups).
> > Kerberos provided support for privacy via encryption libraries, and it
> > provided support for integrity via hashing/checksumming/signature
> > libraries. "Kerberized" versions of network services such as telnet,
> > FTP, rsh/rlogin/rcp etc all provided support for authentication via the
> > baseline Kerberos protocol as well as privacy and integrity via
> > connection-level encryption and checksumming.
>
> I was not aware that Kerberos could provide privacy (encryption) for
> kerberized services. I (naively) thought that Kerberos was
> authentication that other things could use to make access control
> decisions.
>
You're right, it's primarily an authentication protocol. But due to the way
it works, it *also* negotiates a 'session key' between the user and the
service, which then may be used for transport encryption (sealing). It's
not commonly used as far as I know – most new protocols already have their
own security layers such as TLS or SSH.
Actually LDAP is the only still-widespread protocol that comes to mind
whose implementations frequently make use of Kerberos-based encryption (via
GSSAPI). This is especially common in Active Directory environments, where
the DCs might not have a valid TLS certificate.
(I seem to recall kerberized Telnet didn't survive because it was limited
to DES/3DES for an odd reason. Didn't quite understand why that was the
case, though.)
--
Mantas Mikulėnas
[-- Attachment #2: Type: text/html, Size: 3551 bytes --]
next prev parent reply other threads:[~2018-11-06 9:14 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-04 20:51 Grant Taylor via TUHS
2018-11-04 21:46 ` Ben Greenfield via TUHS
2018-11-04 22:45 ` Arthur Krewat
2018-11-04 22:58 ` Mantas Mikulėnas
2018-11-04 23:49 ` Warner Losh
2018-11-05 3:16 ` Robert Brockway
2018-11-05 6:08 ` Grant Taylor via TUHS
2018-11-05 7:24 ` Mantas Mikulėnas
2018-11-05 7:33 ` Mantas Mikulėnas
2018-11-05 16:12 ` Arthur Krewat
2018-11-05 19:32 ` Grant Taylor via TUHS
2018-11-05 22:43 ` Arthur Krewat
2018-11-06 5:25 ` Grant Taylor via TUHS
2018-11-06 16:50 ` Arthur Krewat
2018-11-06 19:43 ` Grant Taylor via TUHS
2018-11-05 19:27 ` Grant Taylor via TUHS
2018-11-05 19:36 ` Grant Taylor via TUHS
2018-11-05 21:36 ` Mantas Mikulėnas
2018-11-05 23:12 ` Grant Taylor via TUHS
2018-11-05 21:43 ` Ben Greenfield via TUHS
2018-11-06 4:58 ` Grant Taylor via TUHS
2018-11-06 12:59 ` Ben Greenfield via TUHS
2018-11-06 6:53 ` Mantas Mikulėnas
2018-11-06 13:21 ` Ben Greenfield via TUHS
2018-11-06 13:44 ` Mantas Mikulėnas
2018-11-06 14:00 ` Ben Greenfield via TUHS
2018-11-06 13:46 ` Mantas Mikulėnas
2018-11-05 22:34 ` Dan Cross
2018-11-06 5:24 ` Grant Taylor via TUHS
2018-11-06 7:07 ` Mantas Mikulėnas [this message]
2018-11-06 17:30 ` Grant Taylor via TUHS
2018-11-06 19:58 ` Mantas Mikulėnas
2018-11-06 22:24 ` Dan Cross
2018-11-07 0:35 ` Grant Taylor via TUHS
2018-11-07 11:37 ` Pete Turnbull
2018-11-07 17:30 ` Grant Taylor via TUHS
2018-11-07 22:01 ` Dave Horsfall
2018-11-08 1:48 ` Dave Horsfall
2018-11-07 23:00 ` Pete Turnbull
2018-11-07 1:03 ` Pete Turnbull
2018-11-06 12:54 ` Ben Greenfield via TUHS
2018-11-05 20:10 ` Dave Horsfall
2018-11-05 3:49 ` Larry McVoy
2018-11-05 6:12 ` Grant Taylor via TUHS
2018-11-05 19:58 ` Dave Horsfall
2018-11-05 22:53 ` Grant Taylor via TUHS
2018-11-06 1:28 ` Dave Horsfall
2018-11-05 15:44 ` Larry McVoy
2018-11-05 18:38 ` arnold
2018-11-05 19:04 ` Larry McVoy
2018-11-05 21:21 ` Noel Hunt
2018-11-07 8:58 ` arnold
2018-11-07 14:05 ` arnold
2018-11-05 20:48 ` A. P. Garcia
2018-11-05 23:07 ` Grant Taylor via TUHS
2018-11-06 1:46 ` Dan Cross
2018-11-06 5:32 ` Grant Taylor via TUHS
2018-11-06 22:29 ` Dan Cross
2018-11-07 0:40 ` Grant Taylor via TUHS
2018-11-07 1:38 ` Arthur Krewat
2018-11-06 3:03 ` Robert Brockway
2018-11-06 5:03 ` David Arnold
2018-11-06 5:34 ` Grant Taylor via TUHS
2018-11-06 23:59 Norman Wilson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAPWNY8UG9T32hme5bvtcmrFd3YYdXzNnPJK4J56zhBxBr=-MUA@mail.gmail.com' \
--to=grawity@gmail.com \
--cc=gtaylor@tnetconsulting.net \
--cc=tuhs@minnie.tuhs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).