On Wed, 2005-07-06 at 14:22 +1000, Brian May wrote: > >>>>> "Andrew" == Andrew Bartlett <abartlet@samba.org> writes: > > Andrew> I note that recent security advisories for both > Andrew> distributions were in these 'utility' programs (telnet, > Andrew> ftpd etc) rather than in the core kerberos code. > > I don't use telnet, rsh, ftpd any more. I generally use ssh, sftp, etc > instead. I feel safer using these tools, because I think security bugs > will be found faster in ssh, as it gets more use, and hence more > inspection, then the tools in Heimdal (not that openssh doesn't get > its fair share of security bugs). > > There is also the pop server. It is the only server I know of that > supports Kerberos, at least in Debian. However, I only know of one > client in Debian that supports Kerberos (or so it claims[1]), a client > I don't use myself, and I tend to use courier-imap anyway. > > I do think accessing mail via Kerberos would be a good idea, instead > of entering a password each time... Not to mention being able to > authenticate to web servers using Kerberos a Kerberos ticket already > obtained at log in. Then again i am getting off topic. SASL covers most of this problem, and as I understand it, it is a far more standard solution than kpop. I don't know if the mail clients and server use the sign/seal end or just the authentication, but I certainly see GSSAPI as a supported password type for evolution. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc. http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
This is a digitally signed message part