On Thu, Jul 06, 2006 at 04:52:52PM -0400, Steven M. Bellovin wrote:
On Thu, 29 Jun 2006 19:43:48 +0000 (GMT), "Christopher L. Morrow" <christopher.morrow@verizonbusiness.com> wrote:
apparently kerberos scares people... I'm not sure I 'get' that, but :( A corp security group once for a long time 'didnt believe in kerberos', some people 'get it' some don't :(
Kerberos is a single point of failure; that scares people. You *know* you have to keep the Kerberos server locked down tight, highly available (very tricky for some ISP scenarios!), etc.
Speaking purely from a system administration point of view, Kerberos is also a nightmare. Not only does the single-point-of-failure induce red flags in most SAs I know (myself included), but having to "kerberise" every authentication-oriented binary on the system that you have is also a total nightmare. Kerberos 4 is also completely incompatible with 5. Let's also not bring up the issue of globally-readable Kerberos tickets laying around /tmp on machines which use Kerberos, okay? ;-) Admittedly, the rebuttals to this are a) "most things use PAM which can use Kerberos transparently" and b) "most network utilities these days support Kerberos". I run into things every day that don't support neither Kerberos or PAM. The bottom line is that SSH is "easier", so more people will use it. That may not be the best attitude, I'll admit, but that's reality. At my current workplace, our SAs + developers wrote a distributed key system (client + daemon) that runs on all of our machines. It handles distribution and receiving of SSH keys, creating home dirs, and deciding who gets their public key stuck into /root/.ssh/authorized_keys as well. I haven't looked, but it wouldn't surprise me if something like this was already available via SourceForge or some other open-source publishing medium. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |