Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 31 Jan 2003 09:51:55 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        "freebsd-questions@freebsd.org" <freebsd-questions@FreeBSD.ORG>
Subject:   Re: security settings - kerberos or ssh?
Message-ID:  <20030131095155.GA68243@happy-idiot-talk.infracaninophi>
In-Reply-To: <20030130160921.491fa9e0.chip@wiegand.org>
References:  <20030130160921.491fa9e0.chip@wiegand.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Jan 30, 2003 at 04:09:21PM -0800, chip wiegand wrote:
> I am going to set up a new machine with fbsd4.7R for web use - apache,
> mysql, php, phpmyadmin. I will be co-locating this box at my isp's
> office. I would like to make sure this is as secure as possible and
> still be able to have direct access to upload files and maintain, pull
> off log files, etc. I was reading the handbook chapter on security and
> am not sure if I should use kerberos, which I know nothing about, or
> ssh. I was a little confused about the setup of kerberos in the kerberos
> chapter.

My feeling is that ssh(1) would probably serve you better in your
situation, and that Kerberos is probably overkill.

ssh(1) is a standard part of a FreeBSD system and needs no extra
make.conf options to enable.  You can use it as a drop in replacement
for rsh(1) and rcp(1) without any pre-amble, although setting up
identity keys (ssh-keygen(1)) and the use of ssh-agent(1) will improve
the whole experience.  You'll find rsync(1) (ports net/rsync) to be a
very handy tool for uploading and managing web site content, and rsync
runs by default over ssh(1) on FreeBSD nowadays.

Kerberos, on the other hand, seems to be designed to secure large,
multi-computer sites like Universities.  If you want an introduction
to Kerberizing a site, take a look at:

    http://www.ornl.gov/~jar/HowToKerb.html

although you can pretty much ignore the instructions on compiling
Kerberos, as it's bundled with FreeBSD already (needs a buildworld to
enable though).  Kerberos and ssh aren't mutually exclusive either ---
ssh can use kerberos tickets to authenticate logins, and ssh provides
the ability to tunnel X sessions securely, which Kerberos lacks.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030131095155.GA68243>