On Tue, Feb 13, 2001 at 02:21:52PM +0100, Balazs Scheidler wrote:
Yes, that's why we are considering telnet.
Great! Please let me know if you implement this.
We have our own authentication system, currently supporting S/Key and CryptoCard (ANSI X9.9). We partly removed it from 0.7.x, because we are redesigning some parts.
That's a problem with a lot of things that use CryptoCard. Everyone supports it in their own way. We have a full enterprise rolled out with cryptocards, and for us to have to maintain 2 separate sets of account info would be hard. We use Radius backended by the cryptoadmin server, and that gives us a common OTP for all our services, including logging in to hosts, since there is a pam_radius_auth module.
Our system isn't necessarily closed. It can use a radius server as a backend.
Hmm, OK. I didn't see this when I looked at the application. I'll go back again.
We're also looking for Telnet and FTP proxies that are Kerberos5 aware. I'm pretty sure we'll have to roll our own on that one.
What do you mean on that? Authenticate your users for going through the firewall?
Yes. And, if they have a valid ticket already, let them pass through without any more authentication.
We'll think about it.
Thanks. This would solve most of our problems, along with the ssh and telnet, since we have the krb5 server using OPT authentication. This would give us single-signon with strong authentication. Tim -- Tim Sailer <sailer@bnl.gov> Cyber Security Operations Brookhaven National Laboratory (631) 344-3001