Robert G. Brown
rgb at phy.duke.edu
Fri Jan 6 09:36:10 PST 2006
On Fri, 6 Jan 2006, Sean Dilda wrote:
> Kerberos does a number of things. I personally think that kerberized apps is
> a thing of the past. However, kerberos is still a really good central
> authentication system. This is something ssh has no hope of doing. SSH has
> to rely on some other authentication system, usually accessed through PAM.
> And in many systems (including my cluster), that authentication system is
> kerberos. So you can't really say that kerberos was designed to do what ssh
> does now.
(rubbing side of head...;-)
OK, I'll buy that. Centralized authentication is something I find more
than a bit worrisome in lots of different ways, and Unix has always had
some problems providing it (just flattening a UID space across a WAN the
size of Duke is a serious problem all by itself; the protocol wasn't
really designed to scale out that far).
Of course I was really discussing the security benefits per se, not the
management benefits in a WAN, but obviously I was wrong about everybody
I know hating it just a bit...;-)
> And what the kerberized apps did is akin to ssh, if you just look at rlogin,
> and do a lot of user customized ssh keys. However, it also had the whole
> encrypted communication without having to relogin for many other services.
As does ssh now. I agree that in its day kerberos was one way of
getting what ssh does (and that it still does). We are just lucky that
there are "many" tools today that do a lot of this better (more easily).
Account/information management is an area where I think Unix needs a bit
of a makeover, unfortunately. I keep waiting for NIS or LDAP to one day
be revised to take over the world, but well, I keep waiting...:-)
Robert G. Brown http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567 Fax: 919-660-2525 email:rgb at phy.duke.edu
More information about the Beowulf