Re: Kerberos on .debian.org?
>>>>> "Turbo" == Turbo Fredriksson <turbo@bayour.com> writes:
Turbo> I've been playing with the krb5-* packages and I'm
Turbo> _IMPRESSED_! I never used kerberos before, but it's cool
Turbo> (and secure, let's not forget that! :).
Turbo> With the help of 'libpam-krb5' and the pam_krb5_migrate.so
Turbo> (can be found at 'ftp://ftp.netexpress.net/pub/pam/') it
Turbo> would be 'easy' to be able to use krsh/ktelnet etc to login
Turbo> securely to any Debian machine.
First, I'd be happy to help administer a debian.org Kerberos server
and help the admin group set up something like this. (Where help
might include ending up doing all the work if required). I can
attempt to validate that I can be trusted sufficiently to help with
such an effort if people are interested. Certainly I care about
developing the technology to make this sort of service easy to
deploy. (My company boxedpenguin.com is trying to put something like
this together for startups. )
However, I don't think Kerberos in Debian is quite ready for that yet.
There is not a good way to use Kerberos with ssh2 yet. I'm working
with Jeffrey Hutzelman in the IETF secsh working group to fix this
problem at the standards level, so hopefully there will soon be an
implementation.
Second, I'm still tracking down some issues with forwarding tickets
interacting badly with the Debian packages. Works fine with the
upstream.
I think Kerberos has a lot to offer Debian. It provides the same
flexibility of ssh-agent with more limited exposure in case of key
compromise. Also, Kerberos provides a convenient solution to Ssh
man-in-the-middle attacks.
I'd like to see this happen, but perhaps in a few months when things
become more stable. On the other hand, if people have the
energy/desire now, I will certainly do my part.
Reply to: