On Thu, 6 Jul 2006, Jeremy Chadwick wrote:
On Thu, Jul 06, 2006 at 04:52:52PM -0400, Steven M. Bellovin wrote:
On Thu, 29 Jun 2006 19:43:48 +0000 (GMT), "Christopher L. Morrow" <christopher.morrow@verizonbusiness.com> wrote:
apparently kerberos scares people... I'm not sure I 'get' that, but :( A corp security group once for a long time 'didnt believe in kerberos', some people 'get it' some don't :(
Kerberos is a single point of failure; that scares people. You *know* you have to keep the Kerberos server locked down tight, highly available (very tricky for some ISP scenarios!), etc.
Speaking purely from a system administration point of view, Kerberos is also a nightmare. Not only does the single-point-of-failure induce red flags in most SAs I know (myself included), but having to "kerberise" every authentication-oriented binary on the system that you have is also a total nightmare. Kerberos 4 is also completely incompatible with 5. Let's also not bring up the issue of globally-readable Kerberos tickets laying around /tmp on machines which use Kerberos, okay? ;-)
these really are issues of 1994 (or before) most things people care about are kerberized or could be substituted with things that are kerberized.
Admittedly, the rebuttals to this are a) "most things use PAM which can use Kerberos transparently" and b) "most network utilities these days support Kerberos". I run into things every day that don't support neither Kerberos or PAM.
I've not run into them, but I've not been looking hard since most of what I do uses it...
The bottom line is that SSH is "easier", so more people will use it. That may not be the best attitude, I'll admit, but that's reality.
ssh+kerb works, even out of the box without the nasty patch-foo you used to have to live with. It even uses kerb tickets to make up host keys on the fly (in v2), so you don't have to worry about someone stealing your host key and finding a way into your tunnel that way anymore.
At my current workplace, our SAs + developers wrote a distributed key system (client + daemon) that runs on all of our machines. It
anyone do a security assessment of that? :( is it better/worse than the alternatives? I honestly don't know, I'm just asking to make a point. Folks have been beating on kerberos for a long time... anyway :) cats with skin, there are many ways to remove said skin.