On Thu, Jan 30, 2003 at 04:09:21PM -0800, chip wiegand wrote: > I am going to set up a new machine with fbsd4.7R for web use - apache, > mysql, php, phpmyadmin. I will be co-locating this box at my isp's > office. I would like to make sure this is as secure as possible and > still be able to have direct access to upload files and maintain, pull > off log files, etc. I was reading the handbook chapter on security and > am not sure if I should use kerberos, which I know nothing about, or > ssh. I was a little confused about the setup of kerberos in the kerberos > chapter.
My feeling is that ssh(1) would probably serve you better in your situation, and that Kerberos is probably overkill. ssh(1) is a standard part of a FreeBSD system and needs no extra make.conf options to enable. You can use it as a drop in replacement for rsh(1) and rcp(1) without any pre-amble, although setting up identity keys (ssh-keygen(1)) and the use of ssh-agent(1) will improve the whole experience. You'll find rsync(1) (ports net/rsync) to be a very handy tool for uploading and managing web site content, and rsync runs by default over ssh(1) on FreeBSD nowadays. Kerberos, on the other hand, seems to be designed to secure large, multi-computer sites like Universities. If you want an introduction to Kerberizing a site, take a look at: http://www.ornl.gov/~jar/HowToKerb.html although you can pretty much ignore the instructions on compiling Kerberos, as it's bundled with FreeBSD already (needs a buildworld to enable though). Kerberos and ssh aren't mutually exclusive either --- ssh can use kerberos tickets to authenticate logins, and ssh provides the ability to tunnel X sessions securely, which Kerberos lacks. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message