[OpenAFS] Future of AFS? Interesting Ideas!?
Ken Hornstein
kenh@cmf.nrl.navy.mil
Sun, 05 Jan 2003 15:46:24 -0500
>I was 1/4 serious when I suggested contributing Ubik code to OpenLDAP.
>An Ubik-based krb5 server would be pretty cool, too. I wonder if the
>maintainers would even be interested, though.
I think they would be ... someone just has to do the work. Maybe that
will happen someday ...
>> Kerberos 5 seems be doing reasonably well in that regard ... I can use
>> it for SSO under Windows, Mac OS X, and most flavors of Unix.
>
>Let's see, my users have separate passwords for our Intranet site,
>Lotus Notes server, Windows domain, Unix systems, and VPN gateway.
Hey, I didn't claim that Kerberos would solve all of _your_ problems;
unfortunately, when you're dealing with commercial software, getting them
to use a third-party authentication system is challenging. There _are_
Kerberized options for open-standard mail protocols like SMTP/POP/IMAP;
you would need to ditch Notes, of course (but would ditching Notes
really be that bad? :-) ). I'm just saying that considering everything
out there, Kerberos seems to be the best thing going regarding SSO.
>For HTTP authentication, Kerberos is not an option (AFAIK); X.509
>certificates seem to be the standard approach. I suppose the Web
>server itself could accept cleartext passwords and authenticate
>against a Kerberos realm, but does that really count as "single sign
>on"?
Well, actually ... you _do_ have options with HTTP. For example,
Internet Explorer can do Kerberos authentication with IIS. This
protocol is even documented in an Internet-Draft, and I know of
people working on the pieces to make it work with Apache. On the
open-source front, OpenSSL supports the Kerberos Cipher Suite for
TLS, so if you build your own version of Mozilla, you could use
that with Apache to get Kerberos authentication for HTTP. Now, are
these actually realistic options today for a production environment?
Other than using IE today, probably not; they still all need work
to improve the quality. But at least things are headed in the right
direction.
>Lotus Notes, of course, is completely proprietary; no Kerberos there.
>You might suggest we should change mail servers, but would Exchange
>really be any better? :-) OK, we could use a generic Kerberized IMAP
>server, but not all mail clients support Kerberos. In fact, going by
>installed base, most clients do not. (Microsoft Outlook is the
>most-requested mail client among my users.) I see no good solution
>here, although certificate-based SSL authentication might be possible.
I wish Outlook _did_ do Kerberos; that's rather unfortunate, since
MS even ships with Kerberos in the OS and they have no excuse.
However, other than Outlook, things aren't bad. Eudora and Mulberry
both support Kerberos for POP/IMAP/SMTP, and so does the "Mail"
app that ships with OS X. These are real applications that are
production quality, and our users seem to be happy with them.
>As for the VPN gateway, I know of no Kerberos-based solution. Here
>again, public-key certificates appear to be the emerging
>non-proprietary mechanism of choice.
We don't do much VPN stuff, so I can't comment on that. Personally,
our preference is for Kerberizing the original application and using
that directly instead of a VPN, but I understand that isn't the solution
for everyone.
>LDAP is an overengineered monstrosity. But it appears to be the only
>game in town (except for Active Directory, of course). So yeah, I
>suppose I consider it part of the solution. I wish there were a
>decent free implementation.
Now _this_, I don't understand at all. LDAP isn't an authentication
system. When people say stuff like, "LDAP authentication", most
of the time they really mean storing plaintext passwords in their
LDAP database. If you're just doing _that_, then Kerberos can do
the same thing, and that actually has pretty good coverage. That's
not SSO in my book, but I don't see how that's any worse than LDAP.
--Ken