Where do I find money to fund my rewrite of Kerberos 5 in Rust, removing the dumb options and Kerberos 4 compatibility and eventually create Kerberos 6 + AD that will solve a metric buttload of issues in Linux and knock a major peg of MS off?
Ultimately Kerberos is used to authenticated basically everything in a Windows on-prem environment and in a way that is largely transparent to the user. Silent SSO is a very nice feature.
Even if you're doing OIDC or SAML, those protocols do not define what is actually performing authentication at the IdP which, again, ultimately ends up being Kerberos if you're people are on-prem.
So whatever your feelings are about Kerberos as a protocol, it doesn't matter if that's what Windows uses.
And again, it cannot be obsoleted by other protocols.
Even if you're using a newer fido thing like passkeys or client certs or whatever, ultimately the device has to be authenticated to get that passkey or cert or whatever it is installed into the authenticator app of the device. So Kerberos is king on prem.
MIT Kerberos on Linux is not really compatible with Windows Kerberos in ways that cause problems that are not solved by re-writing Kerberos in another language. More important issues have to do with sharing credentials and getting trust info and other such things.
simplify gssapi, for one. single authentication and authorization: submit on slurm? ask kerberos + ldap. can i upload to this service? as kerberos + ldap. Policies applied on this computer? ask kerberos + ldap
i may be naive a bit, i'll accept that, but I really like how AD works (which is essentially kerberos + ldap)
I tried to set up network file sharing with NFS the other day and it was like pulling teeth. You need Kerberos if you want to map user names instead of user ids and still have some security.
Ultimately I gave up and used samba instead, but it does seem like there's a big gap in linux offerings for "home/small business network file sharing" with shared auth
lokar|3 months ago
project2501a|3 months ago
Add public key infrastructure support, make ldap the default store and you got AD. Even better, you can throw all the OAuth crap down the drain.
now, starting services with a password becomes an issue of booting the machine.
cyberax|3 months ago
Kerberos is not a great protocol, though.
bodeadly|3 months ago
kakacik|3 months ago
Understatement of the week
project2501a|3 months ago
and you really need to read the kerberos book before picking up sssd.
mr_mitm|3 months ago
nightfly|3 months ago
project2501a|3 months ago
i may be naive a bit, i'll accept that, but I really like how AD works (which is essentially kerberos + ldap)
solid_fuel|3 months ago
Ultimately I gave up and used samba instead, but it does seem like there's a big gap in linux offerings for "home/small business network file sharing" with shared auth
NuclearPM|3 months ago