In article <[🔎] 19990629190649.B2682@csh.rit.edu> you write: >On Wed, Jun 30, 1999 at 08:31:55AM +1000, Brian May wrote: > >> > SSH >> > >> > Difficult to replace at present. >[...] >> <flame proof suit> >> What about kerberos? > >SSH works well across administrative boundaries. Kerberos (to my knowledge) >requires that both parties trust a common KDC in order to authenticate. >This would make it an incomplete replacement for SSH. No. It is not required to trust a common KDC. From what I know, there are two ways you can talk to sites across administrative boundaries (ie different realms). I will use an example to simplify matters. Say I wanted to telnet to my computer snoopy.apana.org.au, which has a realm of CHOCBIT.ORG.AU, from Monash Uni, which has a realm (actually it doesn't use Kerberos) of MONASH.EDU.AU. 1. interrealm authentication. I authenticate myself to the MONASH.EDU.AU realm and become known, in the Kerberos world as bam@MONASH.EDU.AU. In my $HOME/.k5login file, I would have to specify that bam@MONASH.EDU.AU is allowed to log in as me. Of course snoopy would have to trust the MONASH.EDU.AU KDC that when it says I am bam@MONASH.EDU.AU, I really am bam@MONASH.EDU.AU (maybe some system administrator has `lied'). Hence I wouldn't use this method, unless I was positive of the security of the MONASH.EDU.AU KDC. However, I don't think ssh is much better, especially if you store private keys... Note: Even if somebody did break into the MONASH.EDU.AU KDC, no one could pretend to be bam@CHOCBIT.ORG.AU unless they broke into that KDC, too. 2. log into each realm that you may use manually. There is no reason that you have to use anything special to do this. Currently though, this involves manually keeping track of seperate ticket files for each realm. With respect to other problem, of finding the realm and server for a given hostname, there is a proposed solution to add DNS entries to contain this information. Of course, logging into multiple realms requires another password for each realm, but IMHO, this is better then sharing a common private key for multiple hosts (ssh method). Anyway, how many completely seperate realms are you likely to access in one session? -- Brian May <bam@snoopy.apana.org.au>
Attachment:
pgpC8xmsoqEZc.pgp
Description: PGP signature