[OpenAFS] Re: feasibility of moving lightweight-principals issue "upstream" to kerberos

Russ Allbery rra@stanford.edu
Fri, 30 Dec 2005 20:46:53 -0800


Adam Megacz <megacz@cs.berkeley.edu> writes:

> Okay, you're right.  There are projects out there that are working on
> solving this -- and this covers half my concern.  The other half is
> users who do not belong to a realm (ie those users who are not
> affiliated with a university and don't have their own server to run a
> private KDC on).

In order to authenticate, they have to be able to talk to some
authentication service somewhere.  I don't think this is a technical
problem so much as it is a service problem.  You need someone, or more
likely several someones, to provide authentication services for those
people.

Many universities do this already for people that someone at the
university said were loosely affiliated enough to need to be able to
authenticate.  At Stanford, for instance, any staff or faculty member can
sponsor that sort of authentication-only account.

It would certainly be easier, in some particular cases, to be able to use
pkinit rather than a traditional Kerberos realm for such users, although
most of the people I've dealt with in that classification wouldn't know
how to use any sort of public key cryptosystem either unless it was
packaged with their OS (and packaged well).  Most users don't understand
anything other than passwords.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>