From owner-freebsd-security Wed Mar 24 16:12:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from shibumi.feralmonkey.org (shibumi.feralmonkey.org [203.41.114.182]) by hub.freebsd.org (Postfix) with ESMTP id 49BAC14BE3 for ; Wed, 24 Mar 1999 16:11:47 -0800 (PST) (envelope-from nick@shibumi.feralmonkey.org) Received: from localhost (nick@localhost) by shibumi.feralmonkey.org (8.9.2/8.9.2) with ESMTP id LAA08282; Thu, 25 Mar 1999 11:10:04 GMT (envelope-from nick@shibumi.feralmonkey.org) Date: Thu, 25 Mar 1999 11:10:02 +0000 (GMT) From: 0x1c To: Mike Thompson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH In-Reply-To: <4.1.19990324113601.0097aeb0@mail.dnai.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You might also be interested at implementing some sort of a VPN between the servers. Have a look at www.kame.net for a free *BSD IPsec implementation. Cheers, Nick -- Therefore those skilled at the unorthodox are as infinite as heaven and earth, inexhaustible as the great rivers. -- Sun Tzu, The Art of War On Wed, 24 Mar 1999, Mike Thompson wrote: > We are configuring a series of web servers running FreeBSD 2.2.8 > for a new Internet service. To implement our service we need > to provide a mechanism for secure communication between the > servers using an rsh-like facility. > > One method of doing this would be to run SSH on each server for > encrypted/authenticated communication. However, the downsides > of this are that there wouldn't be a central administration > facility for managing authentication information (unless we > create one), ssh has a relatively high CPU overhead to encrypt > all communications and we would like to avoid paying the substantial > license fees for SSH across a large number of servers. > > An alternative would be to run a rsh in combination with a > Kerberos server to centrally administer authentication > information between each server. Communication between the > servers would take place behind a router to prevent > interception of the unencoded packets. We would also use > IPFW to restrict communication with rsh as further protection > against hacking. > > Does anyone here have an opinion as to whether rsh and Kerberos > can be used in this manner for efficient and secure communication > between web servers running a distributed application? > > Ideally, we want to keep the cost per server as low as possible > with regards to licensing fees, but we also don't want to compromise > on security. > > Thanks, > > Mike Thompson > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message