David Burgess <burgess@neonramp.com> wrote:

> > What if you've got to look after more than one machine, or you've got more
> > than one administrator and you want to use ssh? Pretend for a second that
> > Kerberos never existed - what would you do then?
> 
> Do what I do (22 machines, 8 admins).

I'm sure that works well for you, but with 22 machines that's a little too
much extra work and worry for me (although I don't have 8 admins at my
disposal :-). In a large environment, it's just not feasible.

My real point is to object to the blanket statement:

> > Not to nitpick, but in a vacuum, you can ssh into a system as root, but
> > in production, you would probably never want to permit anyone to do that
> > (even/especically if you're using RSA/DSA key authentication).

> I don't use Kerberos, so I'm not sure what the issue is.

With it, you could centrally control who has root access, and (at least with
MIT, don't know about Heimdal) you should be able to see who logged in as
root.

Andrew