From: Christopher L. Morrow (no email)
Date: Thu Jul 06 2006 - 23:58:43 EDT
On Thu, 6 Jul 2006, Steven M. Bellovin wrote:
> On Thu, 29 Jun 2006 19:43:48 +0000 (GMT), "Christopher L. Morrow"
> <> wrote:
>
> >
> > On Thu, 29 Jun 2006, David W. Hankins wrote:
> >
> > > So, here's my "why not just":
> > >
> > > Why not just use Kerberos?
> > >
> >
> > apparently kerberos scares people... I'm not sure I 'get' that, but :( A
> > corp security group once for a long time 'didnt believe in kerberos',
> > some people 'get it' some don't :(
> >
> Kerberos is a single point of failure; that scares people. You *know* you
> have to keep the Kerberos server locked down tight, highly available (very
> tricky for some ISP scenarios!), etc.
remote datacenters, firewall/ipf/ipfw/iptables/blah, disable local
console, only absolutely necessary user accounts... there are other
protections, but really, make 10 copies spread them around your 'network'.
It's not that bad, really.
>
> SSH is a distributed single point of failure, just like the old thick
> yellow Ethernet. Remember how reliable and easy to debug that was?
>
> More seriously, the original virtue of SSH was that it could be deployed
> without centralized infrastructure. That's great for many purposes; it's
> exactly what you don't want if you're an ISP managing a lot of servers and
> network elements. You really do want a PKI, complete with CRLs. I know
ssh+kerb works, well... so do kerberized r* services... I'm not sure I see
how they are that different from PKI. There may be some advantages to PKI,
but there are risks and operational concerns as well. I suppose people
should pick what works for them...
> that (most) SSH implementations don't do that -- complain to your vendor.
> (Note: the CAs are also single points of failure. However, they can be
> kept offline or nearly so, booted from a FooLive CD that logs to a
> multi-session CD or via a write-only network port through a tight
> firewall, etc. Yes, you have to worry about procedures, physical access,
> and people, but you *always* have to worry about those.
>
right, just like kerberos... I do admit I'm a fan of kerberos, run it at
home even. anyway :) there are obviously many ways to skin this cat.
|
|
|