From owner-freebsd-questions Fri Jan 31 1:52:14 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1FB3837B401 for ; Fri, 31 Jan 2003 01:52:13 -0800 (PST) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 73B0243F79 for ; Fri, 31 Jan 2003 01:52:11 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.6/8.12.6) with ESMTP id h0V9q00F068821 for ; Fri, 31 Jan 2003 09:52:00 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.6/8.12.6/Submit) id h0V9ptMT068820 for freebsd-questions@FreeBSD.ORG; Fri, 31 Jan 2003 09:51:55 GMT Date: Fri, 31 Jan 2003 09:51:55 +0000 From: Matthew Seaman To: "freebsd-questions@freebsd.org" Subject: Re: security settings - kerberos or ssh? Message-ID: <20030131095155.GA68243@happy-idiot-talk.infracaninophi> Mail-Followup-To: Matthew Seaman , "freebsd-questions@freebsd.org" References: <20030130160921.491fa9e0.chip@wiegand.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030130160921.491fa9e0.chip@wiegand.org> User-Agent: Mutt/1.5.3i X-Spam-Status: No, hits=-3.1 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_01_02, TO_ADDRESS_EQ_REAL,USER_AGENT,USER_AGENT_MUTT version=2.43 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Jan 30, 2003 at 04:09:21PM -0800, chip wiegand wrote: > I am going to set up a new machine with fbsd4.7R for web use - apache, > mysql, php, phpmyadmin. I will be co-locating this box at my isp's > office. I would like to make sure this is as secure as possible and > still be able to have direct access to upload files and maintain, pull > off log files, etc. I was reading the handbook chapter on security and > am not sure if I should use kerberos, which I know nothing about, or > ssh. I was a little confused about the setup of kerberos in the kerberos > chapter. My feeling is that ssh(1) would probably serve you better in your situation, and that Kerberos is probably overkill. ssh(1) is a standard part of a FreeBSD system and needs no extra make.conf options to enable. You can use it as a drop in replacement for rsh(1) and rcp(1) without any pre-amble, although setting up identity keys (ssh-keygen(1)) and the use of ssh-agent(1) will improve the whole experience. You'll find rsync(1) (ports net/rsync) to be a very handy tool for uploading and managing web site content, and rsync runs by default over ssh(1) on FreeBSD nowadays. Kerberos, on the other hand, seems to be designed to secure large, multi-computer sites like Universities. If you want an introduction to Kerberizing a site, take a look at: http://www.ornl.gov/~jar/HowToKerb.html although you can pretty much ignore the instructions on compiling Kerberos, as it's bundled with FreeBSD already (needs a buildworld to enable though). Kerberos and ssh aren't mutually exclusive either --- ssh can use kerberos tickets to authenticate logins, and ssh provides the ability to tunnel X sessions securely, which Kerberos lacks. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message