[JDEV] digest and ldap and authentication

mark at mjwilcox.com mark at mjwilcox.com
Mon Jul 31 18:06:00 CDT 2000 

You do send your password over the wire during the initial Kerberos 
login.

However, while Kerberos support would be a nice alternative, all of 
the clients need to be able to support it, as well as the server 
installation.  

While Kerberos has been out for years, it's been slow to have been 
adopted widely (perhaps Windows 2000 will change this becuase it 
uses Kerberos, organizations may end up rolling Kerberos out to 
make it easier to interoperate with Win2K).

mark



On 31 Jul 00, at 12:58, Donn Cave wrote:

> For what it's worth, I have used Kerberos 5 authentication with
> jabber.  It's pretty easy to slip that into the 1.0 server with
> an extra authkrb5 module that handles "auth" requests where a
> Kerberos ticket was supplied.
> 
> I have tested it with only a Python client I wrote myself for this
> purpose.  I'm have had a little trouble finding buildable source for
> any usable real client, so this project has moved down on my list.
> 
> Kerberos 5 is a network authentication system that supports a "single
> login" model, where you have a password for a long term key that you
> use once to authenticate with the Kerberos ticket service at the
> beginning of your computer session.  That gives you a 10 hour key
> that is stored on your computer where it's used for service tickets
> like telnet etc.  Nowhere in this process do you send your password
> out on the wire, encrypted or otherwise.  Particularly, you don't
> send it to application servers like jabber, so you aren't handing
> your password over to the jabber admin.
> 
> Kerberos is available directly from MIT, http://web.mit.edu/kerberos/www
> and also through some distributions, like RedHat Linux.  FreeBSD 4.0
> comes with Heimdal, a compatible implementation from Sweden, and there
> are several commercial implementations, notably MS in Windows 2000.
> 
> This doesn't have much to do with LDAP or digest authentication,
> except inasmuch as it's an alternative.
> 
> 	Donn Cave, donn at u.washington.edu
> 
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
> 
> 


Mark Wilcox
mark at mjwilcox.com
Got LDAP?

More information about the JDev mailing list