Marc Horowitz wrote:
>
> [EMAIL PROTECTED] (Niels Mvller) writes:
>
>
> This is much more of an OS issue than kerberos vs ssh vs other
> authentication systems issue.
>
> >> I'd like ssh to offer the features needed for large organizations. If
> >> I can find out how.
> >>
> >> Two final questions for those of you using kerberos: If you already
> >> have kerberos up and running on your site(s), why would you consider
> >> using ssh at all? If you want to combine them, would one of the
> >> following possibilities suit your needs?
> >>
> >> * Use kerberos to create an encrypted connection between your
> >> machines. Run the ssh connection-protocol on top of that tunnel (i.e.
> >> do things like starting shells, forward X and tcp, etc, but don't do
> >> any of the ssh style authorization or encryption).
> >>
> >> * Use ssh, but add an authentication algorithm that lets you login
> >> using a kerberos ticket that you obtained earlier.
>
> The former seems less clean than the latter, since ssh is designed to
> handle different authentication protocols. Both would work, though.
> Practically speaking, since ssh ships with the latter implemented,
> it's what I used, often. The ability to combine kerberos
> authentication and ticket forwarding with ssh X and TCP forwarding is
> both secure and convenient.
In addition to the kerberos authentication which comes in some versions
of SSH, NCSA has mods to ssh-1.2.27 to add GSSAPI authentication. This can
then be linked with a number of GSSAPI implementations, including the
Kerberos GSSAPI.
Van Dyke, www.vandyke.com has added these GSSAPI modifications to their
SecureCRT product for Windows, and it works well when you add an additional
DLL. (We told them the wrong calling convention, and DLL name.) Contact
me if you need more information.
>
> Marc
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
