Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 22 Jun 2001 10:00:35 +1000
From:      Stanley Hopcroft <Stanley.Hopcroft@IPAustralia.gov.au>
To:        freebsd-security@FreeBSD.ORG
Subject:   SSH and/or Kerberos experience
Message-ID:  <20010622100034.B788@IPAustralia.Gov.AU>
next in thread | raw e-mail | index | archive | help 
Dear Ladies and Gentlemen,

I am writing to ask for opinions or anecodotes on using SSH with
Kerberos authentication with FreeBSD to provide access (but not
necessarily root access) to a largish number of Unix boxes.

The main difference I see between Kerberos and SSH is that Kerberos 
provides a single point of control for the authentication process: 
rights can be added or deleted in only one place.

SSH, with RSA Authentication, on the other hand does not rely on
smallish shared secrets and kerberised applications (definite no-no,
since many of the boxes requiring access will be Windows), but requires
that each box that is going to be accessed be updated with the public
key of any box that is going to access it. This is obviously expensive
and maybe impossible if many of the boxes interact (instead of perhaps
hub and spokes).

Therefore, I think that SSH with Kerberos authentication is the best way 
of providing arbitrary secure access without expensive (ie manual) key 
management. 

Please let me know if I am on the right track, and how effective 
Kerberos authentication with SSH is ?

Is this what people do with large numbers of boxes ? 

Are there better ways (SSH auth by RADIUS ??) ?

Thank you,

Yours sincerely.

 -- 
------------------------------------------------------------------------
Stanley Hopcroft	IP Australia
Network Specialist
+61 2 6283 3189	+61 2 6281 1353 (FAX)	Stanley.Hopcroft@IPAustralia.Gov.AU
------------------------------------------------------------------------
"We'll cross out that bridge when we come back to it later."

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010622100034.B788>