[Beowulf] Newbie

Sean Dilda sean at duke.edu
Fri Jan 6 08:18:41 PST 2006


Robert G. Brown wrote:

> 
> My understanding of kerberos is that it is an ungainly and complex PITA
> that was developed historically to do poorly what ssh now does well, at
> the expense of annoying the hell out of the user and sysadmin alike.
> Most people who do end up using it (because it is required in order to
> e.g. access fermilab systems) or managing it, that I know of, end up
> hating it just a little bit somewhere along the way, even when they are
> in an evironment (e.g. one that requires "kerberized" application
> authentication without granting shell access) where it DOES have enough
> advantage to make it worth the hassle.  In most places it is used, users
> can actually access a remote shell (rlogin) with a kerberos ticket
> granted on the basis of entering a (potentially trapped) password in a
> shell so that it REALLY has no advantage with respect to ssh (and has
> numerous disadvantages).  The only way I know of to avoid shell-based
> password traps is to use e.g. a SecureID smartcard or other
> one-time/real-time password generating systems.
> 
> Is this an incorrect view?

Kerberos does a number of things.  I personally think that kerberized 
apps is a thing of the past.  However, kerberos is still a really good 
central authentication system.  This is something ssh has no hope of 
doing.  SSH has to rely on some other authentication system, usually 
accessed through PAM.  And in many systems (including my cluster), that 
authentication system is kerberos.  So you can't really say that 
kerberos was designed to do what ssh does now.

And what the kerberized apps did is akin to ssh, if you just look at 
rlogin, and do a lot of user customized ssh keys.  However, it also had 
the whole encrypted communication without having to relogin for many 
other services.



More information about the Beowulf mailing list