[OpenAFS] Future of AFS? Interesting Ideas!?

Russ Allbery rra@stanford.edu
Sun, 05 Jan 2003 17:43:39 -0800


Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:

> Well, actually ... you _do_ have options with HTTP.  For example,
> Internet Explorer can do Kerberos authentication with IIS.  This
> protocol is even documented in an Internet-Draft, and I know of people
> working on the pieces to make it work with Apache.  On the open-source
> front, OpenSSL supports the Kerberos Cipher Suite for TLS, so if you
> build your own version of Mozilla, you could use that with Apache to get
> Kerberos authentication for HTTP.  Now, are these actually realistic
> options today for a production environment?  Other than using IE today,
> probably not; they still all need work to improve the quality.  But at
> least things are headed in the right direction.

We use Kerberos for web authentication and have for years, but not with
single sign-on through NAT (since the only way we have to do SSO that way
is via a callback, which doesn't work through NAT or firewalls).  We're
almost done with the next version of the Apache modules and the like and
it will be open source (although right now you could use pubcookie or some
of the other similar ideas that are already out there).

The current version of the S/Ident callback library and Unix responder
supports Kerberos v5 as well as Kerberos v4 and is available at:

    <http://www.eyrie.org/~eagle/software/sident/>

Obviously native HTTP authentication using Kerberos would be a lot nicer,
though.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>