Re: Moving contrib and non-free of master.debian.org
On Wed, Jun 30, 1999 at 09:56:11AM +1000, Brian May wrote:
> >SSH works well across administrative boundaries. Kerberos (to my knowledge)
> >requires that both parties trust a common KDC in order to authenticate.
> >This would make it an incomplete replacement for SSH.
> No. It is not required to trust a common KDC. From what I know, there
> are two ways you can talk to sites across administrative boundaries
> (ie different realms).
[...]
> Of course snoopy would have to trust the MONASH.EDU.AU KDC that when it
> says I am bam@MONASH.EDU.AU, I really am bam@MONASH.EDU.AU (maybe some
> system administrator has `lied'). Hence I wouldn't use this method, unless
> I was positive of the security of the MONASH.EDU.AU KDC. However, I
> don't think ssh is much better, especially if you store private keys...
Disclaimer: My experience with Kerberos is limited, though I do have
some. Feel free to correct my facts.
This sounds like both sites are trusting a common KDC. You are getting
tickets from it (trust), and the remote system is believing that you
are who it says you are (trust). This is part of the administrative
problem.
The other half of the problem is letting snoopy know who the KDC is for
the MONASH.EDU.AU realm. As far as I know, this has to be configured
by the administrator [postscript: more on this below]. If I'm not an
administrator on the remote system, or its administrator isn't willing
to configure my realm there, then Kerberos won't do what I want.
> 2. log into each realm that you may use manually. There is no reason
> that you have to use anything special to do this. Currently though,
> this involves manually keeping track of seperate ticket files for each
> realm. With respect to other problem, of finding the realm and server
> for a given hostname, there is a proposed solution to add DNS entries to
> contain this information.
>
> Of course, logging into multiple realms requires another password for
> each realm, but IMHO, this is better then sharing a common private key
> for multiple hosts (ssh method). Anyway, how many completely seperate
> realms are you likely to access in one session?
SSH supports a number of authentication methods, including (but not
limited to) "pure" RSA authentication, which you've described. There
is no reason that I have to trust private keys on multiple hosts at
all. In fact, the most common way I use SSH (and in my opinion, its
most broadly useful mode) is with simple password-based authentication.
If the remote server is running sshd, ssh will simply connect, verify the
host keys, do a secure key exchange, and allow me to use existing
authentication mechanisms in a more secure fashion. No site-specific
configuration is required on either side.
The idea of finding the realm and KDC via DNS is interesting...is
anyone using this today? That would perhaps solve the configuration
difficulties that I outlined above. Do you have any pointers to more
information?
If you want to do RSA-based authentication, you can do that, and try to
protect your private keys, but it's not necessary. If you choose to do
this, you can also limit the privilege of a given private key (for example,
by only allowing it to execute a particular command).
I have used Kerberos within an organization, and it seems to work well
for that (except for the lack of non-UNIX support), but I find that
Kerberos and SSH are not direct replacements for one another, and in fact
are quite useful together.
--
- Matt
Reply to: