[zorp] zorp vs. TIS

[Tim Sailer]

On Tue, Feb 13, 2001 at 02:21:52PM +0100, Balazs Scheidler wrote:
> Yes, that's why we are considering telnet.

Great! Please let me know if you implement this.

> > > We have our own authentication system, currently supporting S/Key and
> > > CryptoCard (ANSI X9.9). We partly removed it from 0.7.x, because we
> > > are redesigning some parts.
> > 
> > That's a problem with a lot of things that use CryptoCard. Everyone
> > supports it in their own way. We have a full enterprise rolled out
> > with cryptocards, and for us to have to maintain 2 separate sets of
> > account info would be hard. We use Radius backended by the cryptoadmin
> > server, and that gives us a common OTP for all our services, including
> > logging in to hosts, since there is a pam_radius_auth module.
> 
> Our system isn't necessarily closed. It can use a radius server as a
> backend.

Hmm, OK. I didn't see this when I looked at the application. I'll go back
again.

> > > > We're also looking for Telnet and FTP proxies that are Kerberos5 aware.
> > > > I'm pretty sure we'll have to roll our own on that one.
> > > 
> > > What do you mean on that? Authenticate your users for going through
> > > the firewall?
> > 
> > Yes. And, if they have a valid ticket already, let them pass through without
> > any more authentication.
> 
> We'll think about it.

Thanks. This would solve most of our problems, along with the ssh and
telnet, since we have the krb5 server using OPT authentication. This would
give us single-signon with strong authentication.

Tim

-- 
Tim Sailer <sailer@bnl.gov> Cyber Security Operations
Brookhaven National Laboratory  (631) 344-3001