Quoting Haim Ashkenazi ([EMAIL PROTECTED]): > After reading the responses for my email about NIS security, I was > convinced that it's time to learn about ldap w/kerberos. In the > ldap-howto's I've read there were references to kerberos by MIT and > hemidal. looking in my aptitude list I saw a lot of packages with > different versions of kerberos and I've got a little confused. I was > wondering what would be a good place to start with kerberos (keeping > in mind that my main interest is to combine it with ldap)?
My information on this subject is a little out of date, and I was never all that well informed on it, but I'll give it a try, anyway. Researchers at the Swedish Royal Institute of Technology (KTH = Kungliga Tekniska Högskola), working from freely available informatin about Kerberos, such as had reached the international community from MIT's Project Athena, before pressure from US spook agencies caused a clampdown on "export" of information about strong cryptography. So, KTH Kerberos, aka Heimdal, was an implementation of the 1987 Kerberos v4 spec, which used DES encryption. (The earlier three versions were development-only.) Meanwhile, MIT researchers were proceeding through 1990-91 in creating the Kerberos v5 spec and reference implementation, i.e., MIT Kerberos, introducing 3DES and other newer types of authentication. Until late in the 1990s, this code and knowledge of it in theory could not be legally "exported" from the USA, despite it being publicly documented in RFC 1510 and 1509. Of late, the KTH people have managed, either thanks to the relative lifting of "export" paranoia, or entirely on their own efforts, to implement Kerberos v5[1], as well. How do they now compare, and how interoperable are they? Beats me. Maybe someone else will comment. [1] Which is a damned good thing, since researchers found a protocol flaw in Kerberos v4 authentication, making possible successful dictionary attacks: S. M. Bellovin and M. Merritt, "Limitations of the Kerberos Authentication System", Proceedings of the 1991 USENIX Conference, Dallas, TX 1991. -- Cheers, A host is a host, from coast to coast. Rick Moen And nobody talks to a host that's close, [EMAIL PROTECTED] Unless the host that isn't close is busy, hung, or dead.
