|
Grex > Coop12 > #144: The future of grex authentication? | |
|
| Author |
Message |
cross
|
|
The future of grex authentication?
| 
Nov 8 19:52 UTC 2002 |
About five months ago, I wrote a proposal in the garage group (134)
to move grex to a completely standard MIT Kerberos 5 KDC before moving
to new hardware and software. However, only two other people commented
on it, and neither was a member of the grex staff. I still think it's
a good idea, and would like to get some discussion on it going.
Basically, my concern is that the current plan for moving to Kerberos
for authentication calls for some major customization of the Kerberos
software. This is neither trivial nor convenient, and relies on
knowledge that probably only Marcus has. Should Marcus for one reason
or another become unavailable to grex for an extended period of time, it
would be very difficult for someone else to take his modifications and,
for example, insert them into a new version of the Kerberos software.
Also, those modifications make grex's version of Kerberos incompatible
with the rest of the world's.
However, I don't believe that the customizations are necessary, and my
proposal outlines a method for moving the user population to standard
Kerberos in approximately three (3) months, without any explicit user
action required. What do people think?
(ps- the `register' program I mentioned is in my home directory;
register.c.)
|
| 20 responses total. |
remmers
|
|
response 1 of 20:
|
Nov 9 14:54 UTC 2002 |
I don't know enough about security issues or Kerberos in particular
to comment on the specifics of this proposal, but in general I do
favor moving away from local customizations when standard solutions
will do what we want. That way, the upgrade path becomes much
smoother, and we don't become too dependent on the expertise of
a small set of individuals.
|
cross
|
|
response 2 of 20:
|
Nov 9 17:22 UTC 2002 |
I agree. Or, if you must customize, at least partition the changes so
that they are clearly seperated from the `base' system you're working
with.
|
aruba
|
|
response 3 of 20:
|
Nov 9 21:39 UTC 2002 |
Sounds like a good idea to me, too.
|
cross
|
|
response 4 of 20:
|
Nov 11 17:29 UTC 2002 |
So what do people think about implementing my proposal to move to a
standard KDC?
|
mary
|
|
response 5 of 20:
|
Nov 11 17:55 UTC 2002 |
I don't know the technical pros and cons but I strongly believe Grex staff
should be setting system software up so that most present and future staff
could assume maintenance responsibilities with as little chaos as
possible.
|
jep
|
|
response 6 of 20:
|
Nov 11 17:57 UTC 2002 |
I think that, too, but I also think they've probably thought of it.
I'm looking forward to a response from a staff member.
|
remmers
|
|
response 7 of 20:
|
Nov 11 19:26 UTC 2002 |
(I'm a staff member and have responded.)
|
jep
|
|
response 8 of 20:
|
Nov 12 04:25 UTC 2002 |
(I took your comments to mean you were responding as a user, since you
prefaced it with a disclaimer of expertise.)
|
remmers
|
|
response 9 of 20:
|
Nov 12 14:44 UTC 2002 |
(We're all users here. ;-)
|
jep
|
|
response 10 of 20:
|
Nov 12 16:17 UTC 2002 |
(Heh. Good point, but I was looking for a response from the staffer(s)
responsible for doing the work before I have much of an opinion.)
|
gelinas
|
|
response 11 of 20:
|
Nov 13 02:00 UTC 2002 |
To the best of my knowledge and belief, Marcus is the only staffer to work
on the authentication routines. The discussion between Marcus and Dan is rec
orded in garage.
I don't expect to see anything new from either of them here.
|
gull
|
|
response 12 of 20:
|
Nov 13 14:58 UTC 2002 |
I suspect ultimately the decision will be made by whoever actually does the
work.
|
aruba
|
|
response 13 of 20:
|
Nov 13 15:31 UTC 2002 |
Which is not necessarily the best way to go about it in all cases, since
other people will have to contend with the consequences of that decision in
the future. I.e., we could stand to plan things a bit.
|
cross
|
|
response 14 of 20:
|
Nov 13 17:21 UTC 2002 |
Regarding #11; Marcus has not responded to this proposal, unless he
did it since the last time I logged in.
|
gelinas
|
|
response 15 of 20:
|
Nov 17 00:08 UTC 2002 |
The discussion I was thinking of was actually right here in coop: Items 12
and 28. In Item 12, it starts around response 180; in Item 28, around
response 48.
|
cross
|
|
response 16 of 20:
|
Nov 17 20:08 UTC 2002 |
Those discussions have nothing to do with the specifics of the proposal
I made in thread #134 in the garage group.
|
gelinas
|
|
response 17 of 20:
|
Nov 17 20:35 UTC 2002 |
Yeah. Right.
|
cross
|
|
response 18 of 20:
|
Nov 17 21:52 UTC 2002 |
Joe, perhaps you were confused about the difference between /etc/shadow
and updating that database, and Kerberos and updating its database?
|
gelinas
|
|
response 19 of 20:
|
Nov 18 03:21 UTC 2002 |
I don't consider the difference significant for this discussion. In both
cases, you object to the custom hash Marcus wrote for grex. The application
of the algorithm isn't important to the technical design of the algorithm.
And it's the technical design you are objecting to.
So yes, those discussions ARE relevant, and I DON'T expect to hear either
of you offer different arguments than presented before.
|
cross
|
|
response 20 of 20:
|
Nov 18 15:57 UTC 2002 |
So, where in item 12 did I talk about Marcus's algorithm?
What you expect is immaterial to what is best for the system moving forward.
|