On Wed, 2004-11-10 at 05:46 +1100, O Plameras wrote: > I am using MIT krb5-1.3.3 which was the latest release in April, 2004. > The current release is MIT krb5-1.3.5.(http://web.mit.edu/kerberos/www/) > > This a snippet of what I have in my /etc/krb5.conf: > > default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 > default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 > permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 > > I use this in AFS (Andrew File System - http://www.openafs.org ) > setup at home to test. > > Not only can I configure it to use triple des but in addition it is > used in combination with others. Sources apart from MIT says > kerberos5 is the stronger security encryption tool. This is > easily check from the Internet. > > The yards to measure security for some tool or software is done by > evaluating the product in its entirity and not only bits and pieces of > it.
Your assertion was 'kerberos is MORE secure that ssh' (to that effect). Your specific setup is NO MORE secure than ssh by default and less secure than you can make ssh by simple command line option (better ciphers) should you need that extra security. A novice could easily make themselves LESS secure with Kerberos by using default options. Yes or No? You (or your distro) had to configure kerberos to make it that secure plus by default not all kerberos servers can handle 3DES out of the box. (For the record you can change the default of ssh just as easily.) Yes or No? Kerberos servers are not as available as ssh servers? Yes or No? -- Ken Foskey -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
