From owner-freebsd-security Wed Mar 24 23:51: 6 1999 Delivered-To: freebsd-security@freebsd.org Received: from dnai.com (dnai.com [207.181.194.98]) by hub.freebsd.org (Postfix) with ESMTP id E8F5A1514A for ; Wed, 24 Mar 1999 23:51:02 -0800 (PST) (envelope-from miket@dnai.com) Received: from einstein (dnai-207-181-255-21.dialup.dnai.com [207.181.255.21]) by dnai.com (8.8.8/8.8.8) with SMTP id XAA15004; Wed, 24 Mar 1999 23:47:06 -0800 (PST) Message-Id: <4.1.19990324233231.00a02e40@mail.dnai.com> X-Sender: miket@mail.dnai.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 24 Mar 1999 23:41:01 -0800 To: Matthew Dillon , Gary Gaskell From: Mike Thompson Subject: Re: Kerberos vs SSH Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199903250426.UAA68023@apollo.backplane.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew, Thanks for the detailed response. It sounds like BEST has a configuration that is close to what I would like to achieve. A few quick questions if you don't mind: Are you refering to SSH v1 or SSH v2, or do both compile with Kerberos in the manner you describe? I am currently looking into what the licensing costs would be for us to license SSH v2 for our servers. Does BEST.COM pay to license SSH v1 or SSH v2 for internal use? I set up a Kerberos IV server and it is very unfriendly, but possible. I'll investigate Kerberos V in the ports. By using Kerberos I assume it gives you the advantage of configuring all ssh authentication and passwords on the Kerberos server? Thanks again, Mike Thompson At 08:26 PM 3/24/99 -0800, Matthew Dillon wrote: > SSh can be configured to use kerberos V fairly easily. I set the > following in my /etc/make.conf.local: > >MAKE_KERBEROS5= YES >KRB5_HOME= /usr/krb5 > > And then I build the krb5 port and the ssh port. > > Of course, in order to use kerberos you need to setup a kerberos > server, and kerberos is extremely user unfriendly when it comes > to figuring out how it works. But if you can get past that point > you can get ssh working w/ kerberos. > > This is what BEST.COM does. We also disallow passworded root logins > except on the console ( even w/ ssh ), and use the kerberos 'ksu' command > to control access to root. This allows us to configure a crypted root > password in the password file good for logging into the console, but > useless if stolen and decrypted. All other accounts have '*' for their > password ( i.e. ssh+kerberos logins only). Use of ssh authorized_keys > files are also discouraged, though we do use them for direct root-root > cron'd administrative functions from two 'secured' machines. > > rsh, rlogin, telnet, exec, and other administrative services are disabled > entirely on administrative machines. sshd is the only way to get in apart > from finding a hole in the servers running that implement the function > and purpose of the machine. > > -Matt > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message