Perry Myers wrote:
Adding sct to look at this
On 01/19/2011 10:12 PM, Perry Myers wrote:
> The first pass at Matahari right now has zero auth on it, just a
> username field to connect to a broker but no password. :)
>
> Adam is working to add simple password auth to Matahari so that we have
> some semblance of security.
>
> But as Dmitri will point out, the real deal here is to get kerberos
> integrated via IPA. Of course, qpid supports auth via kerberos, but
> there are some practical matters we need to figure out.
>
> Ignoring for a minute the issue of getting a machine its identity (which
> Dmitri already covered separately), let's assume that the machine
> already has a keytab file in place on the filesystem.
>
> Ok, now we've got a keytab, but...
>
> * How do we do the equivalent of kinit to load the identity and
> authenticate to the KDC in an automated fashion? Kerberos tickets
> generally have an expiration, so the 'kinit' would need to happen on
> some sort of schedule? How is this done? (Note: crontab/at are not
> good answers)
>
> * Can/should we use keytab/identities that do not require a password to
> create a ticket? Since we need automation here, adding a password is
> sort of self-defeating anyhow
>
> * What about Windows? If we're going to rely on Kerberos on Windows as
> well, that means we need to preinstall some MIT kerb software on
> Windows which means we need to pull it into Fedora and cross compile
> it along with mingw32-matahari? Or do we just say "if you want to
> use Matahari/Kerberos on Windows, here go download this MIT kerberos
> windows installer from http://...."?
>
> * Aside from installing either ipa RPMS on Fedora or MIT kerberos
> software on Windows, there's the issue of configuring your OS to use
> a KDC. Do we just declare that that is outside the scope of Matahari
> install and state "if you want to use Kerberos auth, first make sure
> your OS has the proper software and configuration to connect to a
> KDC"?
>
> Dmitri, thoughts? Just trying to figure out the practicalities of
> making this easy to deploy and use for end-users on both Fedora and
> Windows platforms.
>
I have some answers, but I need more time.
I will reply later today.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/