From owner-freebsd-security Wed Mar 24 20:49:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from sentry.isrc.qut.edu.au (sentry.isrc.qut.edu.au [131.181.97.10]) by hub.freebsd.org (Postfix) with SMTP id 1E49614CCA for ; Wed, 24 Mar 1999 20:49:40 -0800 (PST) (envelope-from gaskell@isrc.qut.edu.au) Received: (qmail 14408 invoked from network); 25 Mar 1999 04:49:20 -0000 Received: from primrose.isrc.qut.edu.au (HELO isrc.qut.edu.au) (@131.181.6.10) by secure.isrc.qut.edu.au with SMTP; 25 Mar 1999 04:49:20 -0000 Received: from primrose.isrc.qut.edu.au (primrose.isrc.qut.edu.au [131.181.6.10]) by isrc.qut.edu.au (8.8.8+Sun/8.8.6) with ESMTP id OAA18901; Thu, 25 Mar 1999 14:49:18 +1000 (EST) Date: Thu, 25 Mar 1999 14:49:18 +1000 (EST) From: Gary Gaskell To: Matthew Dillon Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH In-Reply-To: <199903250426.UAA68023@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Perhaps we (myself) am confused. I thought you wanted a rsh like tool, that used strong crypto (liek ssh does), but has a central control point, rather than ssh's peer-to-peer architecture. The rsh I mentioned in the MIT kerberos distribution is is kerberised. the command is krsh and the server is krshd which can be started from inetd. Personally I would have agreed back in 1994 that the MIT beta distribution of Kerberos was a little uninituitive to setup, but I think it's pretty good now. I know I had a web page back in those days detailing each step. Others have now gone further. Best wishes with your project. Gary On Wed, 24 Mar 1999, Matthew Dillon wrote: > :I was using rsh/rlogin with a kerberos server for something similar 5 > :years ago (kerberos v5) and it was all free, save the time of compilation > :and configuration. > : > :What's the problem? the rtools are part of the MIT distribution. > : > :Gary > : > :On Wed, 24 Mar 1999, Mike Thompson wrote: > : > :> We are configuring a series of web servers running FreeBSD 2.2.8 > :> for a new Internet service. To implement our service we need > :> to provide a mechanism for secure communication between the > :> servers using an rsh-like facility. > :> > :> One method of doing this would be to run SSH on each server for > :> encrypted/authenticated communication. However, the downsides > :> of this are that there wouldn't be a central administration > :> facility for managing authentication information (unless we > :> create one), ssh has a relatively high CPU overhead to encrypt > :> all communications and we would like to avoid paying the substantial > :> license fees for SSH across a large number of servers. > :> > :> An alternative would be to run a rsh in combination with a > :> Kerberos server to centrally administer authentication > :> information between each server. Communication between the > :> servers would take place behind a router to prevent > :> interception of the unencoded packets. We would also use > :> IPFW to restrict communication with rsh as further protection > :... > > SSh can be configured to use kerberos V fairly easily. I set the > following in my /etc/make.conf.local: > > MAKE_KERBEROS5= YES > KRB5_HOME= /usr/krb5 > > And then I build the krb5 port and the ssh port. > > Of course, in order to use kerberos you need to setup a kerberos > server, and kerberos is extremely user unfriendly when it comes > to figuring out how it works. But if you can get past that point > you can get ssh working w/ kerberos. > > This is what BEST.COM does. We also disallow passworded root logins > except on the console ( even w/ ssh ), and use the kerberos 'ksu' command > to control access to root. This allows us to configure a crypted root > password in the password file good for logging into the console, but > useless if stolen and decrypted. All other accounts have '*' for their > password ( i.e. ssh+kerberos logins only). Use of ssh authorized_keys > files are also discouraged, though we do use them for direct root-root > cron'd administrative functions from two 'secured' machines. > > rsh, rlogin, telnet, exec, and other administrative services are disabled > entirely on administrative machines. sshd is the only way to get in apart > from finding a hole in the servers running that implement the function > and purpose of the machine. > > -Matt > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Cheers, Gary ----------------------------------------------------------- Gary Gaskell Manager Secure Network Laboratory Phone (07) 3864 1190 Information Security Research Centre Fax (07) 3221 2384 Queensland University of Technology ----------------------------------------------------------- _--_|\ / QUT A University for http://www.qut.edu.au/ _.--._/ the Real World. v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message