From owner-freebsd-security Thu Jun 21 17: 0:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from pericles.IPAustralia.gov.au (pericles.IPAustralia.gov.au [202.14.186.30]) by hub.freebsd.org (Postfix) with ESMTP id 2DFBE37B407 for ; Thu, 21 Jun 2001 17:00:54 -0700 (PDT) (envelope-from Stanley.Hopcroft@IPAustralia.gov.au) Received: (from smap@localhost) by pericles.IPAustralia.gov.au (8.11.3/8.11.1) id f5M00pk22720 for ; Fri, 22 Jun 2001 10:00:51 +1000 (EST) (envelope-from Stanley.Hopcroft@IPAustralia.gov.au) Received: from unknown(10.0.3.110) by pericles.IPAustralia.gov.au via smap (V2.1) id xma022712; Fri, 22 Jun 01 10:00:35 +1000 Received: (from anwsmh@localhost) by stan.aipo.gov.au (8.11.3/8.11.1) id f5M00Zl00818 for freebsd-security@FreeBSD.ORG; Fri, 22 Jun 2001 10:00:35 +1000 (EST) (envelope-from anwsmh) Date: Fri, 22 Jun 2001 10:00:35 +1000 From: Stanley Hopcroft To: freebsd-security@FreeBSD.ORG Subject: SSH and/or Kerberos experience Message-ID: <20010622100034.B788@IPAustralia.Gov.AU> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear Ladies and Gentlemen, I am writing to ask for opinions or anecodotes on using SSH with Kerberos authentication with FreeBSD to provide access (but not necessarily root access) to a largish number of Unix boxes. The main difference I see between Kerberos and SSH is that Kerberos provides a single point of control for the authentication process: rights can be added or deleted in only one place. SSH, with RSA Authentication, on the other hand does not rely on smallish shared secrets and kerberised applications (definite no-no, since many of the boxes requiring access will be Windows), but requires that each box that is going to be accessed be updated with the public key of any box that is going to access it. This is obviously expensive and maybe impossible if many of the boxes interact (instead of perhaps hub and spokes). Therefore, I think that SSH with Kerberos authentication is the best way of providing arbitrary secure access without expensive (ie manual) key management. Please let me know if I am on the right track, and how effective Kerberos authentication with SSH is ? Is this what people do with large numbers of boxes ? Are there better ways (SSH auth by RADIUS ??) ? Thank you, Yours sincerely. -- ------------------------------------------------------------------------ Stanley Hopcroft IP Australia Network Specialist +61 2 6283 3189 +61 2 6281 1353 (FAX) Stanley.Hopcroft@IPAustralia.Gov.AU ------------------------------------------------------------------------ "We'll cross out that bridge when we come back to it later." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message