//> Kerberos has a key management infrastructure.  SSH's public key
//> authentication mechanism does not.  It should be clear which one
//> is easier to manage in a large installation of systems.
//>
//Can you state how you find Kerberos more secure than SSH2,
//if that is the case?

You can revoke user privs for all hosts that authenticate via kerberos by
editting the principal (entry) on the KDC.  Even with just kerberized
telnet/rlogin you can authenticate securely and encrypt traffic.

Nothing stops you from using SSH with kerberos to authenticate.  SSH1
clients do this now with kerbIV, so does OpenSSH with v2 support.
Currently, however, there is no support for auth with kerbV (i'm
particularly interested in Heimdal obviously.)

If you auth users out of kerberos you can easily add/remove users, set
privs for them and easily configure what hosts AND SERVICES that users are
allowed to access.

SSH is a replacement for r-services.  It has no intent of being a way to
authenticate site-wide or anything like that other than requiring keys to
be used in lieu of password based authentication.  SSH is not the "end all
be all" for a lot of situations.

It does, however, have the ability to secure services in a great way with
tunneling and whatnot.  Kerberos is an architecture, not a service in the
usual sense of the word.  SSH is a service and an application.  They're
two totally different things.

Sorry for the rambling; I'm also watching a movie while I write these
notes down :)

/*
	ryan emory lundberg		http://www.incumbent.org/
	packet ninja, pki advocate	emory@incumbent.org
	"the dude abides."					/*