Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 25 Mar 1999 02:18:35 -0800
From:      Mike Thompson <miket@dnai.com>
To:        Matthew Dillon <dillon@apollo.backplane.com>, Gary Gaskell <gaskell@isrc.qut.edu.au>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Kerberos vs SSH
Message-ID:  <4.1.19990325021717.0097e980@mail.dnai.com>
In-Reply-To: <199903250426.UAA68023@apollo.backplane.com>
References:  <Pine.GSO.4.10.9903251409300.17330-100000@primrose.isrc.qut.edu.au>

next in thread | previous in thread | raw e-mail | index | archive | help
Matthew,

Another quick question.  Under the configuration described below 
can one system issue an ssh command from a script to another system
without having to include a password?  We have automated scripts
that will run nightly that will run on one server and execute commands
on other servers using ssh.  Suppling such a password to the 
Kerberos kinit application before using ssh in such a script will be 
problematic. I assume this is why you mentioned your use of the 
"authorized_keys" files for limited purposes?  Any other suggestions?

Mike Thompson

At 08:26 PM 3/24/99 -0800, Matthew Dillon wrote:
>:I was using rsh/rlogin with a kerberos server for something similar 5
>:years ago (kerberos v5) and it was all free, save the time of compilation
>:and configuration.
>:
>:What's the problem?  the rtools are part of the MIT distribution.
>:
>:Gary
>:
>:On Wed, 24 Mar 1999, Mike Thompson wrote:
>:
>:> We are configuring a series of web servers running FreeBSD 2.2.8
>:> for a new Internet service.  To implement our service we need
>:> to provide a mechanism for secure communication between the 
>:> servers using an rsh-like facility.
>:> 
>:> One method of doing this would be to run SSH on each server for
>:> encrypted/authenticated communication.  However, the downsides
>:> of this are that there wouldn't be a central administration
>:> facility for managing authentication information (unless we
>:> create one), ssh has a relatively high CPU overhead to encrypt 
>:> all communications and we would like to avoid paying the substantial
>:> license fees for SSH across a large number of servers.
>:> 
>:> An alternative would be to run a rsh in combination with a
>:> Kerberos server to centrally administer authentication 
>:> information between each server.  Communication between the
>:> servers would take place behind a router to prevent 
>:> interception of the unencoded packets.  We would also use
>:> IPFW to restrict communication with rsh as further protection
>:...
>
>    SSh can be configured to use kerberos V fairly easily.  I set the
>    following in my /etc/make.conf.local:
>
>MAKE_KERBEROS5= YES
>KRB5_HOME= /usr/krb5
>
>    And then I build the krb5 port and the ssh port.
>
>    Of course, in order to use kerberos you need to setup a kerberos
>    server, and kerberos is extremely user unfriendly when it comes
>    to figuring out how it works.  But if you can get past that point
>    you can get ssh working w/ kerberos.
>
>    This is what BEST.COM does.  We also disallow passworded root logins
>    except on the console ( even w/ ssh ), and use the kerberos 'ksu' command 
>    to control access to root.  This allows us to configure a crypted root 
>    password in the password file good for logging into the console, but
>    useless if stolen and decrypted.  All other accounts have '*' for their
>    password ( i.e. ssh+kerberos logins only).  Use of ssh authorized_keys
>    files are also discouraged, though we do use them for direct root-root
>    cron'd administrative functions from two 'secured' machines.
>
>    rsh, rlogin, telnet, exec, and other administrative services are disabled
>    entirely on administrative machines.  sshd is the only way to get in apart
>    from finding a hole in the servers running that implement the function 
>    and purpose of the machine.
>
>					-Matt
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19990325021717.0097e980>