[OpenAFS] Krb5 integration with AFS

Russ Allbery rra@stanford.edu
Tue, 30 Dec 2003 23:26:57 -0800


Derrick J Brashear <shadow@dementia.org> writes:

> I also like using my Kerberos password for all those things: by typing
> it one time, when I sit down, and having clever utilities which leverage
> authentication, instead of typing my password 50 times while I'm
> sitting.  Hence my routine denigration of pubcookie: I typed my
> password. I'm not typing it again. Thus, pubcookie falls in the category
> of "doesn't work" because it shows me a password dialog, instead of the
> web page I asked for. I *am* authenticated.

Stanford WebAuth achieves this if you're willing to run an S/Ident
responder, and we're thinking about leveraging it a bit more without the
NAT nonsense that breaks S/Ident by taking a page out of the book of the
IM clients and having the client run a program that opens a persistant TCP
connection to a central trusted server and responds to credential requests
from it.  Still less than ideal from a security perspective, but
everything is other than native application support for Kerberos, and I'm
not holding my breath to see that in all the major web browsers.  At least
in some fashion that we can actually use without going pure Microsoft.

Current stuff is at <http://webauth3.stanford.edu/>.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>