Ken Foskey wrote:
Your assertion was 'kerberos is MORE secure that ssh' (to that effect). Your specific setup is NO MORE secure than ssh by default and less secure than you can make ssh by simple command line option (better ciphers) should you need that extra security. A novice could easily make themselves LESS secure with Kerberos by using default options.
Yes or No?
I compared ssh with kerberos using differences in their functionalities. I
do not say, myself, that one or another is better. It's true I stated kerberos
is stronger but that is a qoute from people who knows not MINE.
BTW, I use OpenSSH myself (http://www.openssh.org/) and I do not say
there is no place for it other than kerberos. In fact, there are circumstances when
SSH is more appropriate than Kerberos in my judgement, but it is up to the user.
So, I am not trying to convince anyone that my way is the only way. I am just
exposing what's available and what other people say about it.
I just try to expose the materials I am using and so that readers may compare
them to what they have and discover why their experiences are different or
the same as mine.
I use MIT kerberos, so far. I am toying with the idea of also testing Heimdal. IYou (or your distro) had to configure kerberos to make it that secure plus by default not all kerberos servers can handle 3DES out of the box. (For the record you can change the default of ssh just as easily.)
Yes or No?
think MIT kerberos is 3DES configured by default, but I have'nt checked. You
can checked that when you have time. I believe that it will be useful if you check,
http://www.ietf.org/rfc/rfc1510.txt
because as always only snippets of what I know about kerberos I can say. But RFC1510 spells out comprehensive specifications about kerberos and I do not pretend to be expert in these things. I just say what needs to be said IMHO and I leave the rest to the readers and not ME to make judgements for them.
Kerberos servers are not as available as ssh servers?
I do not know what is specifically meant here and a 'yes' or 'no is not as simple as
that in matters like this. It is up to the person who has conducted his research thoroughly
to make that call.
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
