sean at duke.edu
Fri Jan 6 08:18:41 PST 2006
Robert G. Brown wrote:
> My understanding of kerberos is that it is an ungainly and complex PITA
> that was developed historically to do poorly what ssh now does well, at
> the expense of annoying the hell out of the user and sysadmin alike.
> Most people who do end up using it (because it is required in order to
> e.g. access fermilab systems) or managing it, that I know of, end up
> hating it just a little bit somewhere along the way, even when they are
> in an evironment (e.g. one that requires "kerberized" application
> authentication without granting shell access) where it DOES have enough
> advantage to make it worth the hassle. In most places it is used, users
> can actually access a remote shell (rlogin) with a kerberos ticket
> granted on the basis of entering a (potentially trapped) password in a
> shell so that it REALLY has no advantage with respect to ssh (and has
> numerous disadvantages). The only way I know of to avoid shell-based
> password traps is to use e.g. a SecureID smartcard or other
> one-time/real-time password generating systems.
> Is this an incorrect view?
Kerberos does a number of things. I personally think that kerberized
apps is a thing of the past. However, kerberos is still a really good
central authentication system. This is something ssh has no hope of
doing. SSH has to rely on some other authentication system, usually
accessed through PAM. And in many systems (including my cluster), that
authentication system is kerberos. So you can't really say that
kerberos was designed to do what ssh does now.
And what the kerberized apps did is akin to ssh, if you just look at
rlogin, and do a lot of user customized ssh keys. However, it also had
the whole encrypted communication without having to relogin for many
More information about the Beowulf