[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Kerberos/LDAP/SASL central authentication server howto
On Mon, Aug 09, 2004 at 02:38:21PM +0200, Tarjei Huse wrote:
> ?? I didn't know , sorry. Please tell me more on how I can use GSSAPI instead of
> tls to secure not only authentication but everything that happens over the
> wire.
It really depends on the client tool. Not only does GSSAPI provide this, DIGEST-MD5
also.
Examples of such tools that I'm 100% aware of are ldapsearch and mutt when doing SASL
authentication.
With ldapsearch, for example:
$ ldapsearch -h ldap.server | head -5
SASL/GSSAPI authentication started
SASL username: andreas@DISTRO.CONECTIVA
SASL SSF: 56 <---------- encrypted channel (only 56 bits though)
SASL installing layers
(...)
With digest-md5:
$ ldapsearch -h ldap.server -Y digest-md5 | head -5
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: andreas
SASL SSF: 128 <---------------------
SASL installing layers
(...)
But Kmail, for example, even though supporting DIGEST-MD5, does not encrypt the
rest of the traffic. That is, it doesn't request this additional layer of
security.