On 13 Oct 2010, at 19:53, Will Fiveash wrote: > On Wed, Oct 13, 2010 at 11:04:43AM -0700, Henry B. Hotz wrote: >> Use GSSAPI/Kerberos instead. ;-) > > Yep, Solaris SSH has had support for that since Solaris 10. I use it > all the time at work (I only use the pubkey auth when talking to a > system that isn't setup to do krb auth).
Sorry to revive an old argument, but I don't think this is the right conclusion. Yes, Sun SSH supports Kerberos, but it doesn't support other standard ways of looking up SSH keys, like DNS and, what is not quite the same thing, LDAP (because LDAP isn't so standard, given that LPK is a patch). These other means of publishing ssh keys cannot simply be replaced by providing Kerberos. For example, if I want only need to authenticate something like a Mercurial or a Git repository exposed on the Internet, what I need is something like fingerprint-based server authentication rather Kerberised mutual authentication. Kerberos is great as an enterprise SSO solution, but if I'm using ssh as a remote access solution, why not use public keys in LDAP + Kerberos as two-stage (as opposed to two-factor) authentication, requiring LDAP-based ssh key authentication for access to a landing server before allowing someone to attempt Kerberos authentication? It's not an unreasonable security policy to say that Kerberos credentials should only be used within the enterprise and that ssh keys are a more appropriate authentication for external services. With SSH keys in LDAP, I can give an outside party an IPsec connection to an LDAP server and be responsible for managing the credentials and accounts on that server, which is an approach to federating that people would reasonably want to avoid doing with Kerberos and find a pain to manage with file-based ssh keys. If you accept that Kerberos isn't nearly a 100% solution, providing scaleable solutions for ssh key publication seems a reasonable requirement. Cheers, Bayard >> On Oct 13, 2010, at 5:46 AM, Alexander Welter wrote: >> >>> Hi all, >>> >>> I looked into a way to distribute SSH public keys through LDAP, to get rid >>> of the always local authorized_keys files. What I found was the OpenSSH >>> public key patch (OpenSSH LPK), which seems to be promising. Does anyone >>> know, it there are any plans to integrate this feature into the >>> "Solaris-SSH"? > > -- > Will Fiveash > Oracle > http://opensolaris.org/os/project/kerberos/ > Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/> > _______________________________________________ > security-discuss mailing list > [email protected]
smime.p7s
Description: S/MIME cryptographic signature
PGP.sig
Description: This is a digitally signed message part
_______________________________________________ security-discuss mailing list [email protected]
