Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 24 Sep 1998 00:28:37 -0700 (PDT)
From:      Matthew Dillon <dillon@backplane.com>
To:        Mark Murray <mark@grondar.za>
Cc:        Mike Smith <mike@smith.net.au>, asami@FreeBSD.ORG (Satoshi Asami), committers@FreeBSD.ORG
Subject:   Re: Security and other facilities at WC CDROM - the plan. 
Message-ID:  <199809240728.AAA17646@apollo.backplane.com>
References:  <199809232357.QAA04981@dingo.cdrom.com>  <199809240655.IAA21484@gratis.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help 

    I'll be frank:  Moving to kerberos is a *good* idea.  We've been using
    the ssh+kerberos combination at BEST for systems accounts for two years
    now and it has allowed us to remove (i.e. '*'-out) passwords for all
    sensitive accounts (i.e. the ones we clone across all of our servers).

    Additionally, we removed *all* accounts from wheel group.  Not even staff
    is in wheel anymore... it's ksu to root or nothing.  This combination
    allows us to have a crypted root password in the password file (that only
    four people know), which can ONLY be used when logging into the 
    machine's console.  This plus kerberos-only logins is extremely effective
    in preventing critical accounts from being compromised.

    It works flawlessly for us.  Going to kerberos is, IMHO, a much needed 
    security bullet on WC CDROM and all other freebsd-group machines.

    Make sure you setup two kerberos servers rather then just one.  Also,
    put the following line in /etc/csh.logout on all the machines.  It is
    extremely important to destroy tickets on logout.

	# System-wide .logout file for csh(1).
	/usr/bin/klist -s && /usr/bin/kdestroy

					-Matt

:> > 
:> > Will typing passwords over ssh work?  There are some times (quite
:> > often, actually) that my home directory is not available and I have to
:> > type my password to get into paddock.
:> 
:> It should; the connection is encrypted already at that point.
:
:Sure - but SSH is doing the authentication against the kerberos database,
:not /etc/passwd-and-friends. Kerberos has a different encoding scheme,
:so the password will need to be reregistered. A pain, I am sorry,
:but necessary. I'll try to set up a tool to assist here.
:
:M
:--
:Mark Murray
:Join the anti-SPAM movement: http://www.cauce.org

    Matthew Dillon  Engineering, HiWay Technologies, Inc. & BEST Internet 
                    Communications & God knows what else.
    <dillon@backplane.com> (Please include original email in any response)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809240728.AAA17646>