|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] log as root or not ?
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
gabriel rosenkoetter wrote:
| Is there something wrong with Kerberos5 for this? (Actually, there
| are a variety of things wrong with it, both in protocol and
| implementation, but it sounds like it's what you want.) You should
| be able to find a POP3 server with a K5 authentication option
| (though I don't know one off the top of my head), and OpenSSH has
| been able to do this for ages.
Have not worked with Kerberos. Sounds like something to look at.
| But why do you want digital certificates? That requires a CA, which
| is immediately where Mallory'd attack if he wanted to co-opt your
| entire network.
If I act as my own CA with exactly 3 certificates to people I know well?
Personally I don't trust the verification methods for either verisign
14.95 specials or the Thawte web of trust. But how does mallory get
into a small tightly controlled CA.
I have worked with Internal CA systems for a large multinational and can
see how this would be just as vulnerable as thawte.
Not that this is the best solution of course. I am way open on this.
| (Fwiw, we're moving up on Radius for a single sign-on to Windows,
| Solaris, Linux, and maybe still a little Novell. I don't know
| whether Radius can hit a cert server, but I'd be moderately
| surprised if it couldn't.)
Guess I should play with this to.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE9KdRzK3KGHMBjApYRAvZRAJ9h3OLRooTGrJRIySvPlzSgFocRmACgm6CC
KQ0abejEjM4zRk0aX1MnFKY=
=Sj1J
-----END PGP SIGNATURE-----
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|