Differences between revisions 1 and 2
Revision 1 as of 2006-03-22 16:26:32
Size: 2201
Editor: WolfgangFriebel
Comment: initial incomplete page
Revision 2 as of 2006-03-22 16:32:25
Size: 2207
Editor: WolfgangFriebel
Comment:
Deletions are marked like this. Additions are marked like this.
Line 35: Line 35:
Other UNIX software could be made Kerberos5 aware by using the SASL or GSS API. Other UNIX software is or could be made Kerberos5 aware by using the SASL or GSS API.

Authentication technologies

Authentication using symmetric key cryptography

Key for encryption and decryption is the same (or easily derived from the other key). Needs a third party to establish a trust relation. In High energy Physics Kerberos4 and Kerberos5 are used. Kerberos4 has security flaws and is largely replaced by Kerberos5.

Kerberos5

Defined in [http://www.ietf.org/rfc/rfc4120.txt RFC4120], API defined in [http://www.ietf.org/rfc/rfc4121.txt RFC4121]

Currently implemented in 3 major variants: MIT Kerberos, Heimdal Kerberos, Windows Kerberos

Software with Kerberos Support

Usually the software mentioned below does not come with Kerberos support by default, configuration or recompilation is required in most cases.

  • Webserver: IIS, Apache (so called Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) support)
  • Webclients: Internet Explorer, Mozilla, Firefox
  • Mailserver: Cyrus-IMAP, UW-IMAP
  • Mailclients: pine, Mozilla, Thunderbird

  • Batchsystems: SunGridEngine, LSF

  • Filesystems: AFS, NFSv4
  • Libraries: PAM, GSSAPI, SASL, perl Modules(Authen-SASL, Authen-Krb5)
  • Protocols: Socks5
  • Client/Server programs: openssh, telnet, ftp, su, arc, arcx

Other UNIX software is or could be made Kerberos5 aware by using the SASL or GSS API.

Public key infrastructure

DVInfo/Authentication_technologies_in_use_at_HEP (last edited 2008-10-30 11:40:12 by localhost)