>  From my perspective, the benefit of Kerberized rdist is i use my current
> krb5 credentials to do an rdist.  With ssh, i believe my choices would
> involve either typing my password each rdist (or maybe even once per
> machine, per rdist) or permanently leaving RSA/DSA keys in place on the
> rdist targets.

I think both allow some unattended method for getting credentials.
Ssh allows you to generate a private key that has no password
protecting it.  One can then run ssh out of cron.

Kerberos allows the same thing. I used to run this out of the nightly
cron:

    export KRB5CCNAME=/tmp/krb5cc_0_$$
    kinit -k -t /etc/krb5.keytab host/capsicum.wsrcc.com@WSRCC.COM 
    (date; nice -20 time rdist6 -P /usr/bin/rsh -f /etc/Distfile "$@";\
         date) 2>&1 >> /var/log/rdist.log
    kdestroy

The part I found uncomfortable was that in each case there was an
unencrypted set of root credentials laying around for the taking.  If
someone manages to copy that file, they could come in from the
internet side as root.

In the normal rsh/rdist case an IPF slapped on the external interface
would protect against any rsh ever coming in from the internet.  I
didn't have to worry about someone copying /etc/krb5.keytab or
/root/.ssh/id_rsa .

-wolfgang
-- 
       Wolfgang Rupprecht <wolfgang+gnus@dailyplanet.wsrcc.com>
		    http://www.wsrcc.com/wolfgang/
Coming soon: GPS mapping tools for Open Systems. http://www.gnomad-mapping.com/