On Thu, 7 Nov 1996, Ron DuFresne wrote:
> > We are moving to Kerberos, and I for one love it. ftp://athena-dist.mit.
> > edu/pub/kerberos/README for instructions on how to get it.
> My limited understnading and reading about kerberos is that it is NOT an
> all-in-one solution.
As if ssh is? Kerberos replaces almost all of ssh's functionality, save
encrypted X forwarding, and has a whole lot more.
> It's not the way to make one machines deamons talk
> with anothers,
1) How does ssh allow "one machines deamons talk with anothers"
2) Since the random-key-generation function under kerberos allows
automated processes to communicate with each other, unless I have
misunderstood your accusation, then you are just plain wrong.
> and, in multi-user machine environs, the kerberos tickeyts
> are plaintext and stealable by someone other than the owner...
This is silly. Your tickets under kerberos are protected the same way
that your session information is protected under ssh; unix-style access
controls. "Plaintext and stealable by someone other than the owner"??
They are protected, and anyone who can subvert your kerberos key can
subvert your ssh session.
All of this is aside from the fact that kerberos is gssapi compliant,
which means that any apps you (or anyone else) write for it will be
drop-in compatible with IPSEC. Ergo, once IPSEC is a reality (I just
downloaded the Linux IPSEC patches today), then you are a compile away
from using IPSEC in all of your kerberized applications. SSH doesn't come
anywhere close to this level of functionality, and doesn't pretend to.
DCE, NT, MIT, socks, all of them (will) use kerberos for their security
functions. There is kerberos support is cisco's latest IOS. Kerberos
fucking kicks ass.
Have you even tried kerberos?
Todd Graham Lewis Linux! Core Engineering
Mindspring Enterprises tlewis @
com (800) 719 4664, x2804