> Two final questions for those of you using kerberos: If you already
> have kerberos up and running on your site(s), why would you consider
> using ssh at all? If you want to combine them, would one of the
> following possibilities suit your needs?
>
> * Use kerberos to create an encrypted connection between your
> machines. Run the ssh connection-protocol on top of that tunnel (i.e.
> do things like starting shells, forward X and tcp, etc, but don't do
> any of the ssh style authorization or encryption).
I imagine this would get used, if someone did it. Right now, I use ssh
only when I want to forward X11 connections, or as an alternate path into a
machine when telnetd or inetd is not working (for various reasons, ssh and
telnet tend not to break at the same time). On the other hand, the correct
solution to this problem would be to develop and deploy working, useful
Kerberos-based authentication for X11.
> * Use ssh, but add an authentication algorithm that lets you login
> using a kerberos ticket that you obtained earlier.
This is exactly what we do. Kerberos V support ships with ssh, and patches
are available to add Kerberos IV support.
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
