From owner-cvs-all@FreeBSD.ORG  Wed Apr 30 12:17:09 2003
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 92F6037B401; Wed, 30 Apr 2003 12:17:09 -0700 (PDT)
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id B695843F85; Wed, 30 Apr 2003 12:17:08 -0700 (PDT)
	(envelope-from wollman@khavrinen.lcs.mit.edu)
Received: from khavrinen.lcs.mit.edu (localhost [IPv6:::1])
	by khavrinen.lcs.mit.edu (8.12.9/8.12.9) with ESMTP id h3UJH5Vo054709
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Wed, 30 Apr 2003 15:17:05 -0400 (EDT)
	(envelope-from wollman@khavrinen.lcs.mit.edu)
Received: (from wollman@localhost)
	by khavrinen.lcs.mit.edu (8.12.9/8.12.9/Submit) id h3UJH4Yj054706;
	Wed, 30 Apr 2003 15:17:04 -0400 (EDT)
	(envelope-from wollman)
Date: Wed, 30 Apr 2003 15:17:04 -0400 (EDT)
From: Garrett Wollman <wollman@lcs.mit.edu>
Message-Id: <200304301917.h3UJH4Yj054706@khavrinen.lcs.mit.edu>
To: Kris Kennaway <kris@obsecurity.org>
In-Reply-To: <20030430181603.GD84302@rot13.obsecurity.org>
References: <200304301754.h3UHsJ21004574@repoman.freebsd.org>
	<20030430181603.GD84302@rot13.obsecurity.org>
X-Spam-Score: -19.8 ()
	IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES
X-Scanned-By: MIMEDefang 2.33 (www . roaringpenguin . com / mimedefang)
cc: cvs-src@FreeBSD.org
cc: src-committers@FreeBSD.org
cc: cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/release Makefile src/release/scripts
	crypto-install.sh
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2003 19:17:10 -0000

<<On Wed, 30 Apr 2003 11:16:03 -0700, Kris Kennaway <kris@obsecurity.org> said:

> Hmm, is it really a good idea to combine crypto and krb5?  krb5 is, I
> suspect, a rarely-used feature in the wild.

``The wild'' contains lots and lots of Windows Active Directory
implementations.

For any operation larger than a few dozen hosts, Kerberos is a great
deal easier to manage than n^2 SSH key combinations.  (This presumes
that you have a working version of Kerberized SSH, which at present
means OpenSSH 3.4 with the patches.)  Even for relatively small
installations, the convenience factor can be significant, particularly
when integrated with other operating systems infrastructure.

-GAWollman