Subject: Re: ssh - are you nuts?!?
To: None <firstname.lastname@example.org>
From: Tracy J. Di Marco White <email@example.com>
Date: 12/20/2000 09:52:44
}On 17 Dec, Tracy J. Di Marco White wrote:
}> }To come back on ssh, two other advantadges (forgive my worse English) are
}> }1) RSA-based host authentication.
}> }2) Instead of giving in a username you can also use RSA based authenticatio
}> }with a passphrase. It's shortly explained in ssh(1) (man 1 ssh).
}> As a system administrator, I consider RSA based authentication not so much
}> of a plus. I manage systems with up to 45K users, and we mandate decent
}> passwords. Using RSA passphrase authentication allows people to circumvent
}> our password rules, and in fact allows them to choose to have no passphrase
}> at all. We use kerberos, and kerberos encrypted telnet offers some moderate
}> amount of encryption.
}So you believe in your schenario that telnet with kerberos is more than
}enough. Is that correct?
I believe that telnet with kerberos offers barely enough, and only because
we can get a few people to use it. ssh is a plus, but doesn't work for
us yet, and we'll likely never allow RSA based authentication since that
moves pass[word,phrase] control out of our hands.
I love ssh with RSA based authentication for my personal machines, with
a couple people using them who I trust to choose good passphrases because
they're at least as paranoid as I am. At work, I have a 35-45 thousand
person user community who doesn't really care for the fact that we
enforce a minimum password standard, since it only makes for more stuff
for them to type/remember.
Tracy J. Di Marco White
Project Vincent Systems Manager