Date: Thu, 25 Mar 1999 14:49:18 +1000 (EST) From: Gary Gaskell <gaskell@isrc.qut.edu.au> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH Message-ID: <Pine.GSO.4.10.9903251445280.17330-100000@primrose.isrc.qut.edu.au> In-Reply-To: <199903250426.UAA68023@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Perhaps we (myself) am confused. I thought you wanted a rsh like tool,
that used strong crypto (liek ssh does), but has a central control point,
rather than ssh's peer-to-peer architecture.
The rsh I mentioned in the MIT kerberos distribution is is kerberised.
the command is krsh and the server is krshd which can be started from
inetd.
Personally I would have agreed back in 1994 that the MIT beta distribution
of Kerberos was a little uninituitive to setup, but I think it's pretty
good now. I know I had a web page back in those days detailing each step.
Others have now gone further.
Best wishes with your project.
Gary
On Wed, 24 Mar 1999, Matthew Dillon wrote:
> :I was using rsh/rlogin with a kerberos server for something similar 5
> :years ago (kerberos v5) and it was all free, save the time of compilation
> :and configuration.
> :
> :What's the problem? the rtools are part of the MIT distribution.
> :
> :Gary
> :
> :On Wed, 24 Mar 1999, Mike Thompson wrote:
> :
> :> We are configuring a series of web servers running FreeBSD 2.2.8
> :> for a new Internet service. To implement our service we need
> :> to provide a mechanism for secure communication between the
> :> servers using an rsh-like facility.
> :>
> :> One method of doing this would be to run SSH on each server for
> :> encrypted/authenticated communication. However, the downsides
> :> of this are that there wouldn't be a central administration
> :> facility for managing authentication information (unless we
> :> create one), ssh has a relatively high CPU overhead to encrypt
> :> all communications and we would like to avoid paying the substantial
> :> license fees for SSH across a large number of servers.
> :>
> :> An alternative would be to run a rsh in combination with a
> :> Kerberos server to centrally administer authentication
> :> information between each server. Communication between the
> :> servers would take place behind a router to prevent
> :> interception of the unencoded packets. We would also use
> :> IPFW to restrict communication with rsh as further protection
> :...
>
> SSh can be configured to use kerberos V fairly easily. I set the
> following in my /etc/make.conf.local:
>
> MAKE_KERBEROS5= YES
> KRB5_HOME= /usr/krb5
>
> And then I build the krb5 port and the ssh port.
>
> Of course, in order to use kerberos you need to setup a kerberos
> server, and kerberos is extremely user unfriendly when it comes
> to figuring out how it works. But if you can get past that point
> you can get ssh working w/ kerberos.
>
> This is what BEST.COM does. We also disallow passworded root logins
> except on the console ( even w/ ssh ), and use the kerberos 'ksu' command
> to control access to root. This allows us to configure a crypted root
> password in the password file good for logging into the console, but
> useless if stolen and decrypted. All other accounts have '*' for their
> password ( i.e. ssh+kerberos logins only). Use of ssh authorized_keys
> files are also discouraged, though we do use them for direct root-root
> cron'd administrative functions from two 'secured' machines.
>
> rsh, rlogin, telnet, exec, and other administrative services are disabled
> entirely on administrative machines. sshd is the only way to get in apart
> from finding a hole in the servers running that implement the function
> and purpose of the machine.
>
> -Matt
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
Cheers,
Gary
-----------------------------------------------------------
Gary Gaskell
Manager Secure Network Laboratory Phone (07) 3864 1190
Information Security Research Centre Fax (07) 3221 2384
Queensland University of Technology
-----------------------------------------------------------
_--_|\
/ QUT A University for http://www.qut.edu.au/
_.--._/ the Real World.
v
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.10.9903251445280.17330-100000>