[fw-wiz] Kerberos (was: Firewall PKI integration requirements)

nuqneH,

On Sun, Aug 20, 2006 at 09:39:02PM -0700, Carson Gaspar wrote:[color=blue]
> --On Friday, August 18, 2006 7:48 PM +0400 ArkanoiD <ark@eltex.net> wrote:
>[color=green]
> > What PKI integration/certificate management functions you people
> > expect to see on the firewall? Manual import, LDAP integration
> > (exactly how?), CRL management features (which way)? Please describe me
> > in details as i am going to implement those for IPSec, SSL/TLS
> > and maybe other crypto functons. Is Kerberos still considered alive
> > and widely deployed? Should i support it, which way?[/color]
>
> I'm not sure if you're asking about krb5/PKI, or other uses of kerberos.[/color]

I was talking about PKI in general and Kerberos as yet another infrastructure
thing.
[color=blue]
> Kerberos V is certainly very alive for authentication. My expectation would
> be _minimally_ to support it as an authentication back-end. Kerberized
> logins to the firewall itself (via ssh GSSAPI, ktelnet, or whatever) would
> also be a very good idea, especially if you support krb5 principle ACLs
> (e.g. gaspac/admin@EXAMPLE.COM may log in with admin privs). Supporting
> krshd pass-through would be nice (it's annoyingly just slightly different
> from rshd, as I recall from my fwtk/Gauntlet days).[/color]

Well, what is the desired deployment scenario? Where do i place kdc?

_______________________________________________
firewall-wizards mailing list
[email]firewall-wizards@listserv.icsalabs.com[/email]
[url]https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards[/url]