[nycbug-talk] interesting OpenSSH development

Peter Wright pete at nomadlogic.org
Thu Nov 16 13:16:36 EST 2006 

> On 11/16/06, Peter Wright <pete at nomadlogic.org> wrote:
>>
>> > On 11/16/06, Peter Wright <pete at nomadlogic.org> wrote:
>> >> http://thread.gmane.org/gmane.os.freebsd.current/86266/focus=86268
>> >>
>> >> I'm sure most folks on talk@ have seen this.  I'm pretty excited to
>> tell
>> >> you the truth.  trying to properly maintain ssh key's on large
>> clusters
>> >> is
>> >> pain at best.  beck at open obviously had some insight - I'm hoping that
>> >> the
>> >> end product of this work is something positive (see Andre's response
>> to
>> >> Bob).
>> >>
>> >> -pete
>> >
>> > Why not just use kerberos?  ssh supports kerberos as does a bunch of
>> > other services.  After all if you need to set up a server anyway why
>> > not set up a server for more then just ssh?
>> >
>>
>> <sarcasm>
>> gee never thought of that
>> </sarcasm>
>
> it was more of a question on why come up with another "special"
> security tech that is just not needed, the problem is effectivly
> solved so why not just use it?
>

i can't speak for other companies/orgs but we are not in a position to
migrate our current authentication schema over to krb for the foreseeable
future.  although, we are able to implement a key management policy for
our unix clusters - that is separate from our corporate authentication
architecture.  so this would fit the bill, for us, quite nicely.  while it
would be nice to roll out kerberos to the facility - it is just not going
to happen at our shop any time soon.

generally speaking, Andre's follow up to the orginal post gives a pretty
good explanation on the rationale behind this work.  The last bit, for me
at least, sum's up why this is attractive to my shop:

"This OpenSSH PKI system is very simple and easy to use.  All programs
and functions necessary to use it to its full extent are included with
the base OpenSSH distribution."


so sure, krb may be the solution for many people - I can still appreciate
this work non-the-less.

-pete



-- 
~~oO00Oo~~
Peter Wright
pete at nomadlogic.org
www.nomadlogic.org/~pete
310.869.9459

More information about the talk mailing list