Date: Wed, 24 Mar 1999 20:26:12 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Gary Gaskell <gaskell@isrc.qut.edu.au> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH Message-ID: <199903250426.UAA68023@apollo.backplane.com> References: <Pine.GSO.4.10.9903251409300.17330-100000@primrose.isrc.qut.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
:I was using rsh/rlogin with a kerberos server for something similar 5
:years ago (kerberos v5) and it was all free, save the time of compilation
:and configuration.
:
:What's the problem? the rtools are part of the MIT distribution.
:
:Gary
:
:On Wed, 24 Mar 1999, Mike Thompson wrote:
:
:> We are configuring a series of web servers running FreeBSD 2.2.8
:> for a new Internet service. To implement our service we need
:> to provide a mechanism for secure communication between the
:> servers using an rsh-like facility.
:>
:> One method of doing this would be to run SSH on each server for
:> encrypted/authenticated communication. However, the downsides
:> of this are that there wouldn't be a central administration
:> facility for managing authentication information (unless we
:> create one), ssh has a relatively high CPU overhead to encrypt
:> all communications and we would like to avoid paying the substantial
:> license fees for SSH across a large number of servers.
:>
:> An alternative would be to run a rsh in combination with a
:> Kerberos server to centrally administer authentication
:> information between each server. Communication between the
:> servers would take place behind a router to prevent
:> interception of the unencoded packets. We would also use
:> IPFW to restrict communication with rsh as further protection
:...
SSh can be configured to use kerberos V fairly easily. I set the
following in my /etc/make.conf.local:
MAKE_KERBEROS5= YES
KRB5_HOME= /usr/krb5
And then I build the krb5 port and the ssh port.
Of course, in order to use kerberos you need to setup a kerberos
server, and kerberos is extremely user unfriendly when it comes
to figuring out how it works. But if you can get past that point
you can get ssh working w/ kerberos.
This is what BEST.COM does. We also disallow passworded root logins
except on the console ( even w/ ssh ), and use the kerberos 'ksu' command
to control access to root. This allows us to configure a crypted root
password in the password file good for logging into the console, but
useless if stolen and decrypted. All other accounts have '*' for their
password ( i.e. ssh+kerberos logins only). Use of ssh authorized_keys
files are also discouraged, though we do use them for direct root-root
cron'd administrative functions from two 'secured' machines.
rsh, rlogin, telnet, exec, and other administrative services are disabled
entirely on administrative machines. sshd is the only way to get in apart
from finding a hole in the servers running that implement the function
and purpose of the machine.
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903250426.UAA68023>