Six Kerberos/OS X/SSH observations and questions

John Rudd jrudd at ucsc.edu
Tue Mar 1 20:32:59 EST 2005


Russ Allbery wrote:
> In comp.protocols.kerberos, Yeechang Lee <ylee at pobox.com> writes:
> 
> 
>>3) I've had public key SSH logins working well between all three boxes
>>for some time. Given that fact, I wonder if I should even bother to
>>switch to Kerberized SSH logins in the first place on any of my
>>boxes. Put another way, is there any reason to believe that using a
>>Kerberos ticket to authenticate myself in OpenSSH is "better" than a
>>public key? Or vice versa?
> 
> 
> Kerberos has the following advantages, which may or may not be of interest
> in your situation:
> 
>  * No need to copy keypairs around to different systems.  Any system that
>    uses Kerberos and has the right SSH installed can be used to
>    authenticate to any other system that uses Kerberos authentication
>    without requiring any additional key exchange.  If you're the only
>    user, the amount of required configuration may be roughly equivalent;
>    if there are a lot of users, Kerberos becomes easier.
> 
>  * Central management.  If you want to revoke the access of someone who
>    has been using public key pairs for authentication, you have to remove
>    their authorized key or their account from every individual system.
>    With Kerberos, you can deactivate their account centrally and know that
>    all access will be shut off within the ticket expiration lifetime.
> 
>  * SSH public key authentication only works for SSH.  If you have other
>    Kerberized services, you may need to obtain a Kerberos credential
>    anyway, in which case using that for SSH as well simplifies matters
>    considerably.
> 
>  * Ticket forwarding.  Kerberos can allow you to authenticate only once
>    and then pass your credentials to other systems and then use those to
>    log on to other systems, as well as use those same Kerberos credentials
>    to access other Kerberos-protected services.
> 


And these build together to help you put together a single-sign-on 
environment.  You authenticate once on your laptop, and then you can use 
that one authentication event to access email, access remote servers, 
get an AFS token (if you use AFS) for accessing files, etc.

As far as I know, SSH keys can't do that for you.



More information about the Kerberos mailing list