In message <199805150421.AAA07966@jekyll.piermont.com>, "Perry E. Metzger" writ es:
Michael Dillon writes:
On Fri, 15 May 1998, Dean Anderson wrote:
If you were using ssh for secure access then the answer would be to find a
It is just as easy to download a kerberized versions of NCSA telnet or NiftyTelnet, for the mac or pc.
No it's not. I gave a URL for the Mac and Windows ssh clients; you didn't.
URL or no, I've played with both kerberized NCSA telnet and SSH -- anyone who claims that setting up and maintaining a KDC is as easy as the "point and shoot" rlogin replacement portion of SSH hasn't really tried both possibilities. SSH is far simpler -- its almost foolproof, and it requires no infrastructure commitment to run.
Perry
A medium to large ISP typically has a few hundred employees with access to a few hundred to a few thousand routers and somewhere around a few hundred workstations. (There may be a thousand or more employees but accounting, etc, don't have acces to the routers and development and NMS machines). SSH is easy to set up on your home linux or BSD box but that isn't the overriding factor when considering which is better for an ISP. Consider what an ISP has to go through when an employee leaves and their access to company systems must be terminated. With kerberos someone goes to the KDC and sets the expiration on their kerberos prinicple to the current minute or changes their kerberos password or both. In a few minutes their access to all systems is gone. Even if they had admin access to the KDC, you can change the KDC and admin passwords and rebuild the KDC and any secondaries in well under an hour. You may have to do a "ksrvutil change" on cron service tab files they had read access to (these should be few). With ssh, the ssh key identity can't be revoked. Instead you need to find all .slogin files for all the accounts on all the machines and routers and make sure they aren't listed under an assigned name or a pseudoname they chose and didn't tell you about (an impossible task), plus insure that any machine (like their home machine) that they have access to doesn't appear in any .shosts files. Given 1,000 machines (for example) which sounds harder to do? Is the turnover rate for NOC staff negligible or fairly constant? Curtis