Re: Six Kerberos/OS X/SSH observations and questions
Russ Allbery wrote: In comp.protocols.kerberos, Yeechang Lee [EMAIL PROTECTED] writes: 3) I've had public key SSH logins working well between all three boxes for some time. Given that fact, I wonder if I should even bother to switch to Kerberized SSH logins in the first place on any of my boxes. Put another way, is there any reason to believe that using a Kerberos ticket to authenticate myself in OpenSSH is better than a public key? Or vice versa? Kerberos has the following advantages, which may or may not be of interest in your situation: * No need to copy keypairs around to different systems. Any system that uses Kerberos and has the right SSH installed can be used to authenticate to any other system that uses Kerberos authentication without requiring any additional key exchange. If you're the only user, the amount of required configuration may be roughly equivalent; if there are a lot of users, Kerberos becomes easier. * Central management. If you want to revoke the access of someone who has been using public key pairs for authentication, you have to remove their authorized key or their account from every individual system. With Kerberos, you can deactivate their account centrally and know that all access will be shut off within the ticket expiration lifetime. * SSH public key authentication only works for SSH. If you have other Kerberized services, you may need to obtain a Kerberos credential anyway, in which case using that for SSH as well simplifies matters considerably. * Ticket forwarding. Kerberos can allow you to authenticate only once and then pass your credentials to other systems and then use those to log on to other systems, as well as use those same Kerberos credentials to access other Kerberos-protected services. And these build together to help you put together a single-sign-on environment. You authenticate once on your laptop, and then you can use that one authentication event to access email, access remote servers, get an AFS token (if you use AFS) for accessing files, etc. As far as I know, SSH keys can't do that for you. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Six Kerberos/OS X/SSH observations and questions
In comp.protocols.kerberos, Yeechang Lee [EMAIL PROTECTED] writes: 3) I've had public key SSH logins working well between all three boxes for some time. Given that fact, I wonder if I should even bother to switch to Kerberized SSH logins in the first place on any of my boxes. Put another way, is there any reason to believe that using a Kerberos ticket to authenticate myself in OpenSSH is better than a public key? Or vice versa? Kerberos has the following advantages, which may or may not be of interest in your situation: * No need to copy keypairs around to different systems. Any system that uses Kerberos and has the right SSH installed can be used to authenticate to any other system that uses Kerberos authentication without requiring any additional key exchange. If you're the only user, the amount of required configuration may be roughly equivalent; if there are a lot of users, Kerberos becomes easier. * Central management. If you want to revoke the access of someone who has been using public key pairs for authentication, you have to remove their authorized key or their account from every individual system. With Kerberos, you can deactivate their account centrally and know that all access will be shut off within the ticket expiration lifetime. * SSH public key authentication only works for SSH. If you have other Kerberized services, you may need to obtain a Kerberos credential anyway, in which case using that for SSH as well simplifies matters considerably. * Ticket forwarding. Kerberos can allow you to authenticate only once and then pass your credentials to other systems and then use those to log on to other systems, as well as use those same Kerberos credentials to access other Kerberos-protected services. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Six Kerberos/OS X/SSH observations and questions
Entity Yeechang Lee spoke thus: 3) I've had public key SSH logins working well between all three boxes for some time. Given that fact, I wonder if I should even bother to switch to Kerberized SSH logins in the first place on any of my boxes. Put another way, is there any reason to believe that using a Kerberos ticket to authenticate myself in OpenSSH is better than a public key? Or vice versa? Writing on behalf of comp.sys.mac.system I'd be curious to know what are some of the advantages of your plan over the OSX builtin SSH authentication? Maybe you could explain. -- Gnarlie's Applescript page: http://Gnarlodious.com/Apple/AppleScript/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Six Kerberos/OS X/SSH observations and questions
Yeechang == Yeechang Lee [EMAIL PROTECTED] writes: Yeechang It took me quite a while to figure out why Kerberos SSH Yeechang connections *didn't* work to and from the iBook; for Yeechang others' benefit, it's due to the change in OpenSSH 3.8 Yeechang from gssapi to gssapi-with-mic. The OS X OpenSSH is Yeechang still at 3.6.1p1 (and Fink's version is 3.7.1p1), while Yeechang Fedora's OpenSSH is 3.9p1. The sources for the Debian openssh-packages based off the 3.8.1 sources (see ftp://ftp.debian.org/debian/pool/main/o/openssh-krb5 ) support both gssapi and gssapiwithmic. I'd expect them to build on most systems. --Sam Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos