Re: pwcheck_method and GSSAPI

From: Ken Hornstein (kenh at cmf dot nrl dot navy dot mil)
Date: Tue Jun 29 2004 - 10:46:51 EDT

  • Next message: Jim McCullars: "Compiling under Tru64"

    >On Tue, Jun 29, 2004 at 12:29:58PM +0200, Jukka Salmi wrote:
    >> According to the SASL documentation[1] (see below "Plugins (SASL Mechanisms")
    >> you're (almost) right.
    >>
    >> [1] http://asg.web.cmu.edu/cyrus/download/sasl/components.html
    >
    >That helps, thanks. It's a difficult enough topic to try to explain to the
    >non-initiated, though. I'm still trying to come up with a simple drawing.

    The problem with talking about this topic is that there is a number of
    layers you need to have a reasonable understand about before you can
    make sense of the whole mess:

    - Kerberos, and how it performs authentication
    - GSSAPI, and how it relates to Kerberos
    - SASL mechanisms (of which GSSAPI is only one).

    I use a GSSAPI SASL mechanism every day in production, but there are so
    many layers involved I'm sometimes surprised that it works at all :-)

    Just as a side note: it's not really talked about in the SASL documentation
    that much, but for a valid Kerberos infrastructure you need a secret stored
    on the server that is shared with the KDC (this is put into place by the
    Kerberos administrator, generally). This might help you to fill in the
    blanks a bit.

    --Ken


  • Next message: Jim McCullars: "Compiling under Tru64"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD