Solaris, OpenSSH & Kerberos

Kerry Thompson kerry at crypt.gen.nz
Wed Oct 9 04:06:56 EDT 2002


Hi Mike

Yup, I've been there. A few years ago I setup and administered about 40 Sun 
boxes with 4 sysadmins and about 20 users - developers mostly, it was mostly 
a web content development environment plus other Internet services like DNS 
and Email.

I would suggest both Kerberos/SEAM *and* OpenSSH. When I was doing this Sun 
didn't have SEAM out, so I used MIT krb5.

Kerberos is good for centralised authentication. Many servers can hook into it 
easily, also a Win2K AD domain if you need to. Many applications like Samba 
also have Kerberos authentication capability which is a bonus. And Kerberos 
has ksu - which can be used just like sudo - when you need to have people 
access stuff like restarting web servers without giving them the root 
password you can just set them up with ksu access to the command.

OpenSSH is used almost everywhere and can be compiled with Kerberos 
authentication support. It has strong security particularly with the new 
privsep code - although I'm not too sure if this mode is working with 
Kerberos yet. SSH has very strong levels of encryption and supports 
compression. SSH works well across firewalls ( ever tried using Kerberos 
encrypted ftp and rcp across a Firewall-1 box ? not fun ). Probably the best 
thing about SSH is that you can get good SSH clients for Windows PCs - 
TeraTerm/SSH, PuTTY, scp, and loads of others. For me being outside the US 
getting hold of good Kerberos clients ( like telnet & ftp ) to run on Windows 
has been almost impossible.

Regards,
Kerry


On Wed, 09 Oct 2002 08:50, Mike Forey wrote:
> Helo all,
>
> I'm looking to implement secure access to about 80 servers for about 20-30
> users.
>
> I was just going to use OpenSSH which seems very simple to setup, but
> wondered whether Kerberos/SEAM might be a better way of managing keys.
>
> Could those of you who have been there, please give your comments.
>
> Many thanks,
> Mike.
>

-- 
Kerry Thompson CCNA CISSP
kerry at crypt.gen.nz
http://www.crypt.gen.nz





More information about the Kerberos mailing list