Date: Thu, 24 Aug 2000 10:24:50 +0100 (BST) From: scot@poptart.org To: Kondie <kondwani@malawi.net> Cc: freebsd-security@FreeBSD.org Subject: Re: Help on kerberos, ssh Message-ID: <Pine.BSF.4.21.0008241011440.86896-100000@plum.flirble.org> In-Reply-To: <011d01c00da4$ae786fa0$8da894d0@Sysanalyst.galaxy>
next in thread | previous in thread | raw e-mail | index | archive | help
We've just implemented Kerberos V internally and are very pleased with it - we replaced Sun's NIS+ with a mixture of Kerberos and standard NIS (the NIS password maps have "*" as the password field). But - it's not a simple concept and the documentation isn't all that great - I'd recoment you get hold of "Kerberos : A network authentication system" by Brian Tung if you want to go this way. Kerberos works by way of shared secrets - all the servers that provide services share a key with the KDC (which authenticates users and provides tickets to services), - so that they can talk securely - as do you the user (your password) and the KDC. This is different to the SSH model which is public key based and doesn't require the administrator to distribute shared keys amongst machines. We use a version of SSH compiled with Kerberos support - which just adds another way for the SSH server to know it's really you trying to login (as opposed to RSA or password authentication). Kerberos allows verification for the user that the machine he's requesting a service from really is that machine and not someone impersonating the machine. SSH allows this only after the first time you've talked to the machine (the known_hosts feature) - but this isn't an enterprise wide thing. In short, I'd say the Kerberos is best for medium to large organisations that have a lot of machines and users - and SSH is good for communicating with hosts that aren't in your enterprise. Hope that helps... Scot On Thu, 24 Aug 2000, Kondie wrote: > Hello, > > I am rather new to Unix systems administration. I am running a FreeBSD > server and would very much appreciate any assistance on how kerberos > and ssh work and what I would risk if I implement them on my system. I > have read FreeBSD security handbook on kerberos and the man pages, but > they seem to only point at how to use them, and not exactly what they > are about. > > Regards, > > Kondwani. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0008241011440.86896-100000>