(Illustration by Gaich Muramatsu)
Hi Rune, Thanks so much for addressing all my questions. Here's a couple further remarks. On Mar 20, 2007, at 12:53 PM, u+codalist-p4pg_at_chalmers.se wrote: > > 1: Yes, it is reasonably strong (about as strong as you can do with > 64 bits > keys) > > 2: Kerberos may still be preferable for other reasons, e.g. > > sharing passwords with other systems like host login or something > else > > using third-party tools for authentication record management > (password > changes, adding/deleting accounts) > > reusing existing user authentication databases (doesn't seem to apply > in your case?) I'm interested in users - which authenticate via an external LDAP server on their workstations - having their homes mounted upon login on the /coda filesystem. Does this mean this will only work with a Kerberos-based authentication in Coda? From what you see, it appears to be the case, though taking into account clog uses 64-bit encryption, that'd be enough for me and I rather avoid setting up Kerberos for now. On a side note, I found a pam_coda module somewhere on the web, written by Robin Gareus back in early 2000. What is the preferred way nowadays to have such a setup going? > 3: Kerberos 5 protocol is fully supported, but there are hardwired > limitations on how a Kerberos realm must be setup to make it useful > for a certain Coda realm, which makes sharing the authentication data > somehow troublesome, especially across administration domains. > > I'd suggest using the "experimental" modular clog. > It is fully functional and quite extensively tested, > but still did not replace the old code in the distribution. Hmm, how do I go about giving it a spin? I've been simply using the Debian packages on the CMU Coda repository... > In my personal biased opinion the default Kerberos support code is > incomplete, > it relies on client-side configuration of clog/Kerberos. > In contrast, the modular uses a trivial service on the server > side so that the clients work with any realm having such a service, > talking to the corresponding Kerberos servers without any client-side > configuration. > Of course if a Coda realm does not announce its authentication setup, > (the modular) clog can always be configured / given explicit > command line > options to do the right thing. > > Regards, > Rune Cheers, PauloReceived on 2007-03-20 09:49:38