What happened to the "XDM-AUTHORIZATION-2" authentification
Roland Mainz
roland.mainz at nrubsig.org
Sat Mar 19 11:47:20 PST 2005
mcnichol at austin.ibm.com wrote:
>
> > From: Felix Schulte <felix.schulte at gmail.com>
> >
> > On Fri, 18 Mar 2005 11:29:49 -0800, Alan Coopersmith
> > <Alan.Coopersmith at sun.com> wrote:
> > > Roland Mainz wrote:
> > > > What happened to the XDM-AUTHORIZATION-2 authentification scheme ? Was
> > > > it dropped later, just forgotten or something else ?
> > >
> > > It was put aside due to a lack of interest,
> > Lack of interest? All OS vendors which want to sell their products to
> > the DOD have to met the requirement that their products can operate in
> > a IP6-only environment by 2007/2008.
>
> Other than XDM-AUTHORIZATION-1, won't all the other current authorization methods
> work in IPv6?
- MIT-MAGIC-COOKIE-1 will work as it is independent from the used
network transport (unix socket, TCP/IPv6, TCP/IPv6, DECnet etc.) and
does not carry any transport-specific values in the data itself (tested
with IPv6, works)
- SUN-DES-1 uses SecureRPC's user-to-user auth. API (which means all the
nasty network transparency is handled elsewhere (e.g. NIS+/LDAP etc.))
(tested with IPv6, works)
- MIT-KERBEROS-5 doesn't care for the same reason as SUN-DES-1 (details
are handled by the Kerberos auth. service) (untested whether there are
any possible issues with IPv6 as Kerberos5 support doesn't build on Xorg
trunk)
- ServerInterpreted auth. ("SI") has no problem with IPv6 (as it was
added together with the IPv6 support and one of the first things tested
there (uhm... actually the SI auth scheme supports multiple
"sub"-schemes for local users/groups and IPv6 mobile access but I didn't
test these details))
So far "XDM-AUTHORIZATION-1" is the only auth. scheme which causes
trouble... unfortunately _lots_ of Linux distributions (such as SuSE)
are using it by default. MIT-MAGIC-COOKIE-1 may be considered little bit
"weak" these days, SUN-DES-1 and MIT-KERBEROS-5 require special
per-site setup (NIS+/YP/LDAP or Kerberos5) and ServerInterpreted may not
work via XDMCP (alanc lay correct me if I am wrong) ... that's why I
asked about "XDM-AUTHORIZATION-2" ...
----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) roland.mainz at nrubsig.org
\__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer
/O /==\ O\ TEL +49 641 7950090
(;O/ \/ \O;)
More information about the xorg
mailing list