[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
In message <email@example.com>, Brian May writes:
| What are tacacs+/xtacacs/radius? Ares these any good as authorization
They are authorization protocols used by dialup routers and the like. Yes,
free versions are available, at least for RADIUS and TACACS (not sure about
| Also, what is wrong/insufficient with authorization directly based on
| the principle's identity? (I assume programs supplied with Heimdal fall
Every principal in the KDC is allowed to log in, and there's no way to
specify privilege level.
Authentication: "this user is who s/he claims to be"
Authorization: "this user is permitted to do these things"
Kerberos only provides the former (well, barring the w2kproblem
"extensions"). You want to have the latter as well as the former, unless
you really want every principal in your KDC to have administrative access to
brandon s. allbery os/2,linux,solaris,perl firstname.lastname@example.org
system administrator kthkrb,heimdal,gnome,rt email@example.com
carnegie mellon / electrical and computer engineering kf8nh
We are Linux. Resistance is an indication that you missed the point.