unified authentication

[Garrett Wollman]

<<On Wed, 24 Sep 2003 15:55:30 -0400, Jesse Guardiani <jesse at wingnet.net> said:

> Will any of the above do ALL of the following?
> (The below is a prioritized list of the things
> I'd like to see in an authentication system:)

Kerberos:

> 1.) Authenticate for ssh

Yes (with openssh-gssapi).  We use this all the time.

> 2.) Authenticate for Cisco equipment

For certain values of ``authenticate'', ``Cisco'', ``equipment'', and
``Kerberos''.

> 3.) Authenticate for Apache htaccess files

I strongly advise against using Kerberos for this.  We use
mod_auth_kerb on exactly one machine: the one that runs the
certificate authority.

> 4.) Allow some way to easily set root passwords and su

The Kerberized `su' utility allows individual root instances for every
user.  (And any other kind of instance you like; it's almost free-form
text.)

> 5.) Do the above from a centralized location

That's what Kerberos is about: trusted-third-party authentication
based on a modified Needham & Schroeder protocol.

> 6.) Do so with reasonable security/encryption

The Kerberos v4 protocol is cryptographically weak and should not be
used in new installations.

The Kerberos v5 protocol is currently considered cryptographically
sound, provided that keys of appropriate strength are used.  It is
possible to configure a Kerberos v5 to use 56-bit DES keys for
symmetric crypto and an insecure checksum method as pseudo-MAC.  Don't
do that.  (This is one of the key problems with Cisco and Windows
interoperability.)

> 7.) Authenticate for Windows boxes

How well this works and in which directions depends on how your
Windows infrastructure is set up.

It is relatively trivial to set up Windows (>= 2000) systems to use
Kerberos for login authentication in conjunction with standalone
(non-domain/AD) local accounts.  It requires a significant amount of
effort to integrate other sorts of Windows configurations, but can be
done and is documented by Microsoft and others.

-GAWollman