Six Kerberos/OS X/SSH observations and questions

Russ Allbery rra at
Sun Feb 27 16:35:12 EST 2005

In comp.protocols.kerberos, Yeechang Lee <ylee at> writes:

> 3) I've had public key SSH logins working well between all three boxes
> for some time. Given that fact, I wonder if I should even bother to
> switch to Kerberized SSH logins in the first place on any of my
> boxes. Put another way, is there any reason to believe that using a
> Kerberos ticket to authenticate myself in OpenSSH is "better" than a
> public key? Or vice versa?

Kerberos has the following advantages, which may or may not be of interest
in your situation:

 * No need to copy keypairs around to different systems.  Any system that
   uses Kerberos and has the right SSH installed can be used to
   authenticate to any other system that uses Kerberos authentication
   without requiring any additional key exchange.  If you're the only
   user, the amount of required configuration may be roughly equivalent;
   if there are a lot of users, Kerberos becomes easier.

 * Central management.  If you want to revoke the access of someone who
   has been using public key pairs for authentication, you have to remove
   their authorized key or their account from every individual system.
   With Kerberos, you can deactivate their account centrally and know that
   all access will be shut off within the ticket expiration lifetime.

 * SSH public key authentication only works for SSH.  If you have other
   Kerberized services, you may need to obtain a Kerberos credential
   anyway, in which case using that for SSH as well simplifies matters

 * Ticket forwarding.  Kerberos can allow you to authenticate only once
   and then pass your credentials to other systems and then use those to
   log on to other systems, as well as use those same Kerberos credentials
   to access other Kerberos-protected services.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list