Hi Mike Yup, I've been there. A few years ago I setup and administered about 40 Sun boxes with 4 sysadmins and about 20 users - developers mostly, it was mostly a web content development environment plus other Internet services like DNS and Email.
I would suggest both Kerberos/SEAM *and* OpenSSH. When I was doing this Sun didn't have SEAM out, so I used MIT krb5. Kerberos is good for centralised authentication. Many servers can hook into it easily, also a Win2K AD domain if you need to. Many applications like Samba also have Kerberos authentication capability which is a bonus. And Kerberos has ksu - which can be used just like sudo - when you need to have people access stuff like restarting web servers without giving them the root password you can just set them up with ksu access to the command. OpenSSH is used almost everywhere and can be compiled with Kerberos authentication support. It has strong security particularly with the new privsep code - although I'm not too sure if this mode is working with Kerberos yet. SSH has very strong levels of encryption and supports compression. SSH works well across firewalls ( ever tried using Kerberos encrypted ftp and rcp across a Firewall-1 box ? not fun ). Probably the best thing about SSH is that you can get good SSH clients for Windows PCs - TeraTerm/SSH, PuTTY, scp, and loads of others. For me being outside the US getting hold of good Kerberos clients ( like telnet & ftp ) to run on Windows has been almost impossible. Regards, Kerry On Wed, 09 Oct 2002 08:50, Mike Forey wrote: > Helo all, > > I'm looking to implement secure access to about 80 servers for about 20-30 > users. > > I was just going to use OpenSSH which seems very simple to setup, but > wondered whether Kerberos/SEAM might be a better way of managing keys. > > Could those of you who have been there, please give your comments. > > Many thanks, > Mike. > -- Kerry Thompson CCNA CISSP [EMAIL PROTECTED] http://www.crypt.gen.nz ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
