Subject: Re: Centralized User and Password Management
To: Tillman Hodgson <email@example.com>
From: Greg A. Woods <firstname.lastname@example.org>
Date: 12/07/2004 15:01:50
[ On Monday, December 6, 2004 at 14:02:05 (-0600), Tillman Hodgson wrote: ]
> Subject: Re: Centralized User and Password Management
> I sometimes run Kerberos in an IPsec (transport mode) local environment.
> It works well, though it's a higher crypto load on the hosts. It saves
> a user if they were to type `telnet -a somehost` rather than `telnet -x
> somehost` (for those users that haven't aliased "telnet" to
> "/usr/local/krb5/bin telnet -x", that is).
That's a common problem where a "kerberised" system falls down badly....
It should be possible to implement a policy that makes it impossible for
the user to telnet without using encryption.
It should also be easier to maintain such an implementation than the
typcial approach to "kerberisation".
I think the real solution is indeed to always use IPsec, or similar, for
anything to do with the network.
I really Really REALLY detest having to work on special-cased code that
hacks security features into otherwise basic client applications like
"telnet", "cvs", etc., etc., etc., etc., etc. It never ends. Grrr.
Just say "NO!" to "kerberised" client applications. At least SSH does
it better by making it possible to simply use it as a secure RJE and
bulk data transport, and it does it in a way that's very nicely
compatible with all the things we did in unix-land before we realized
that network security was going to be such an important issue.
But now I'm way off topic! ;-)
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <email@example.com>
Planix, Inc. <firstname.lastname@example.org> Secrets of the Weird <email@example.com>