Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Mar 1999 23:41:01 -0800
From:      Mike Thompson <miket@dnai.com>
To:        Matthew Dillon <dillon@apollo.backplane.com>, Gary Gaskell <gaskell@isrc.qut.edu.au>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Kerberos vs SSH
Message-ID:  <4.1.19990324233231.00a02e40@mail.dnai.com>
In-Reply-To: <199903250426.UAA68023@apollo.backplane.com>
References:  <Pine.GSO.4.10.9903251409300.17330-100000@primrose.isrc.qut.edu.au>

next in thread | previous in thread | raw e-mail | index | archive | help
Matthew,

Thanks for the detailed response.  It sounds like BEST has a
configuration that is close to what I would like to achieve. 
A few quick questions if you don't mind:

Are you refering to SSH v1 or SSH v2, or do both compile 
with Kerberos in the manner you describe?

I am currently looking into what the licensing costs would be 
for us to license SSH v2 for our servers.  Does BEST.COM pay
to license SSH v1 or SSH v2 for internal use?

I set up a Kerberos IV server and it is very unfriendly, but
possible.  I'll investigate Kerberos V in the ports.  By using 
Kerberos I assume it gives you the advantage of configuring
all ssh authentication and passwords on the Kerberos server?

Thanks again,

Mike Thompson

At 08:26 PM 3/24/99 -0800, Matthew Dillon wrote:
>    SSh can be configured to use kerberos V fairly easily.  I set the
>    following in my /etc/make.conf.local:
>
>MAKE_KERBEROS5= YES
>KRB5_HOME= /usr/krb5
>
>    And then I build the krb5 port and the ssh port.
>
>    Of course, in order to use kerberos you need to setup a kerberos
>    server, and kerberos is extremely user unfriendly when it comes
>    to figuring out how it works.  But if you can get past that point
>    you can get ssh working w/ kerberos.
>
>    This is what BEST.COM does.  We also disallow passworded root logins
>    except on the console ( even w/ ssh ), and use the kerberos 'ksu' command 
>    to control access to root.  This allows us to configure a crypted root 
>    password in the password file good for logging into the console, but
>    useless if stolen and decrypted.  All other accounts have '*' for their
>    password ( i.e. ssh+kerberos logins only).  Use of ssh authorized_keys
>    files are also discouraged, though we do use them for direct root-root
>    cron'd administrative functions from two 'secured' machines.
>
>    rsh, rlogin, telnet, exec, and other administrative services are disabled
>    entirely on administrative machines.  sshd is the only way to get in apart
>    from finding a hole in the servers running that implement the function 
>    and purpose of the machine.
>
>					-Matt
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19990324233231.00a02e40>