[nycbug-talk] FreeIPA

Jesse Callaway bonsaime at gmail.com
Thu May 19 14:25:14 EDT 2011

On Thu, May 19, 2011 at 2:13 PM, Pete Wright <pete at nomadlogic.org> wrote:
> On Thu, May 19, 2011 at 02:03:43PM -0400, Edward Capriolo wrote:
>> The last time I was looking at this stuff.. wink wink.. . I found myself
>> pretty confused as to what (if any?) software worked with IPA. I mean it is
>> Kerberos so I am guessing you can secure telnet and all the other mostly
>> useless protocol Kerberos was designed to protect. I guess you can secure
>> web browsing with kerberos tickets, but again, is that really common?
>> I ended up with the ssh-public keys in LDAP.
>> http://code.google.com/p/openssh-lpk/. The reason I chose this was
>> 1) I know LDAP
>> 2) People were comfortable with SSH-KEYS
>> I still like it as a system actually. As to the IPA stuff, i could not
>> figure out IF/HOW I could make it work with SSH, and the software stack
>> needing it's own DNS server to control was a detraction.
> hrm, i've used kerb-auth with ssh and i *know* that works...
> (sshd.conf)
> # Kerberos options
> KerberosAuthentication yes
> KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
> #KerberosGetAFSToken no
> my understanding of the role of OpenIPA is to centralize the
> management and auditing of ID management and authentication for
> heterogeneous environments.
> regarding the DNS requirements - that actually sorta makes sense, esp if
> you need to support an AD forest and are using BIND for name services.
> -pete
> --
> Pete Wright
> pete at nomadlogic.org
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk

Word, kerberos is good for some things... but how can you AAA your
jabber and AIM and well, anything that doesn't have gssapi built into
it? Most software which has auth has some support for LDAP
auth(entication). Kerberos support is less prevalent.

An approach by some guys at my last job was to have LDAP authorization
(password checking) via sasl on the backend. SASL was then talking to

Once you get into hacking stuff like this it's almost not even worth
it to have Kerberos, since you're sidestepping all of the nice
features it provides like mitm protection, mutual-authentication,
single-sign on.


More information about the talk mailing list