-I am not the right person to write this page, but here is a rough outline.
+This is a rough outline.
There are basically three options with several variants
- [[KaServer]] -- the standard option to comes with IBMAFS, implements [[KerberosIV]] with some custom features.
-- [[KerberosIV]] -- the original MIT implementation, and [[Krb4KTH]], an export version of [[MITKerberosIV]] (aka "bones"), but with encryption support put back in by the fine folks at KTH.
+- [[KerberosIV]] -- the original MIT implementation, and [[Krb4KTH]], an export version of [[KerberosIVMIT]] (aka "bones"), but with encryption support put back in by the fine folks at KTH.
- [[KerberosV]] -- version five of this protocol has numerous improvements over version four and is available from many sources: MIT, DCE, Microsoft (aka [[ActiveDirectory]]) and [[HeimdalKTH]].
-The consensus these days is to use [[KerberosV]], even though lacking native support for V5, AFS still needs various conversion and migration tools.
+The consensus these days is to use [[KerberosV]], even though lacking native support for V5, AFS still needs various conversion and migration tools. See [[KerberosAFSInstall]] for (what will be) a step-by-step procedure to install a new [[OpenAFS]] cell where authentication is handled by a [[KerberosV]] realm.
--- [[TedAnderson]] - 22 Jan 2002
+For [[KerberosV]], there are two main open-source solutions for Unix: [[KerberosVMIT]] and [[HeimdalKTH]]. A quick comparison of the two:
+
+[[KerberosVMIT]] Advantages:
+
+- Excellent documentation
+- The "reference" implementation everyone else uses as a baseline
+- Great library support. Third-party software compiles easily with the libraries MIT provides.
+
+[[KerberosVMIT]] Disadvantages:
+
+- Poor integration with AFS. Requires the AFS-Kerberos5 migration kit to work with AFS.
+- Export issues
+
+[[HeimdalKTH]] Advantages:
+
+- Excellent integration with AFS.
+
+[[HeimdalKTH]] Disadvantages:
+
+- Client API is just different enough from MIT to keep most applications from compiling out of the box.
+
+Note that you can mix-and-match. Currently I'm using a [[HeimdalKTH]] KDC with [[KerberosVMIT]] clients. If you take this route the one big thing to watch out for is administrative tools - kadmin, kpasswd, and such.
Some other topics that should be explained.
-- SSH -- There are two issues. First is mutually authenticating you and the SSH server to each other using Kerberos. Second is passing local AFS authentication to the remote shell (in this case an AFS Client) in the form of AFS service tickets (tokens).
+- SSH -- There are two issues. First is mutually authenticating you and the SSH server to each other using Kerberos. See [[KerberosV]] for a link to patches to kerberize [[OpenSSH]]. Second is passing local AFS authentication to the remote shell (in this case an AFS Client) in the form of AFS service tickets (tokens).
- these instructions from [[CharlesClancy]] for building openssh might be useful <http://lists.openafs.org/pipermail/openafs-info/2002-January/002846.html>
- another perspective from [[OwenLeBlanc]] <http://lists.openafs.org/pipermail/openafs-info/2002-January/002856.html>
+- How to choose between [[KaServer]], [[KerberosVMIT]], [[HeimdalKTH]] and [[ActiveDirectory]].
+- [[StringToKey]] issues.
+- Authenticating applications that need AFS access and can't depend upon human interaction to enter a password.
+- [[ProcessAuthenticationGroups]] (aka PAGs).
+- [[KeyVersonNumber]] (aka kvno) synchronization.
+- [[AccessControlLists]] (aka ACLs).
+- [[IPAccessControl]] -- how to put IP addrs on ACLs
+- How to configure various authentication servers to issue tickets (tokens) with lifetimes longer than 25 hours.
+- [[IntegrationWithNIS]]. See the [[GeneralFAQ#1_05_d_Improved_security]], but basically you use NIS vis NSS for names of users and Kerberos via PAM for authentication. There is still the question of integrating group management.
+- [[OtherGroupServers]] are not well integrated as far as I know. The big ones are [[ActiveDirectory]] and [[NIS]] and maybe some LDAP systems. While one could imagine wrapping a [[PtServer]] interface around such a thing, there are probably some features that would make seamless integration difficult. Has anyone seriously looked into this?
+ - In a 10-Oct-2002 message from [[DerrickBrashear]]: <q>...something to allow LDAP queries of the PTS database... /afs/andrew.cmu.edu/usr/shadow/back-pts.tar.gz / The README inside explains how it works.</q>
+
+-- [[TedAnderson]] - 22-24, 29 Jan 2002<br /> -- [[JasonGarman]] - 30 Jan 2002<br /> -- [[TedAnderson]] - 06-07 Feb, 11 Oct 2002<br />
+
+----
--- [[TedAnderson]] - 23 Jan 2002
+See [[AuthCommands]].
git://git.openafs.org / openafs-wiki.git / blobdiff