Six Kerberos/OS X/SSH observations and questions
rra at stanford.edu
Sun Feb 27 16:35:12 EST 2005
In comp.protocols.kerberos, Yeechang Lee <ylee at pobox.com> writes:
> 3) I've had public key SSH logins working well between all three boxes
> for some time. Given that fact, I wonder if I should even bother to
> switch to Kerberized SSH logins in the first place on any of my
> boxes. Put another way, is there any reason to believe that using a
> Kerberos ticket to authenticate myself in OpenSSH is "better" than a
> public key? Or vice versa?
Kerberos has the following advantages, which may or may not be of interest
in your situation:
* No need to copy keypairs around to different systems. Any system that
uses Kerberos and has the right SSH installed can be used to
authenticate to any other system that uses Kerberos authentication
without requiring any additional key exchange. If you're the only
user, the amount of required configuration may be roughly equivalent;
if there are a lot of users, Kerberos becomes easier.
* Central management. If you want to revoke the access of someone who
has been using public key pairs for authentication, you have to remove
their authorized key or their account from every individual system.
With Kerberos, you can deactivate their account centrally and know that
all access will be shut off within the ticket expiration lifetime.
* SSH public key authentication only works for SSH. If you have other
Kerberized services, you may need to obtain a Kerberos credential
anyway, in which case using that for SSH as well simplifies matters
* Ticket forwarding. Kerberos can allow you to authenticate only once
and then pass your credentials to other systems and then use those to
log on to other systems, as well as use those same Kerberos credentials
to access other Kerberos-protected services.
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos