Since Fedora is not aimed at enterpise/business ..

Bill Anderson bill at noreboots.com
Thu Oct 2 21:25:13 UTC 2003


On Thu, 2003-10-02 at 09:36, Chris Ricker wrote:
> On Thu, 2 Oct 2003, Bill Anderson wrote:
> 
> > Kerberos does not do X11-forwarding, for example. Nor does Kerberos
> > provide remote file copying (such as sftp and scp). Kerberos is
> > authentication. SSH while possessing strong authentication is more than
> > an authentication architecture. Thus, they are *different* and serve
> > *different* purposes.
> 
> Not exactly. You're right that Kerberos is an authentication protocol, but
> MIT Kerberos also includes encrypted replacements for many common
> applications:

Those are apps that have been compiled/built to support Kerberos, they
are not the same thing. CVS supports using SSH as a transport, does that
mean CVS is part of SSH? Nope. rsync support using SSH as the transport
as well. Again, that doesn't mean rsyn is a part of SSH.

Of course, no ectra libraries are needed for rsync and cvs to use ssh as
a transport, so you can install them with or w/o ssh. Only if you want
to use it do you need to install it. ;^)


> telnet
> ftp
> r* protocols
> 
> If you're in a Kerberized environment, you can safely use Kerberos rcp, rsh, 
> etc., be encrypted and securely authenticated, and not need SSH at all....

No, only if you are in a kerberized environment that uses those
kerberized apps. AS I have said, and the two of you apparently refuse to
realize, is that SSH can utilize kerberos as well. You are implicitly
saying that rcp/rsh/telnet for example are a mandatory part of kerberos
utilizing networks. That is factually and materially incorrect.


> About all that SSH offers that the Kerberized apps don't are the "weird 
> things" Dax mentioned, like port forwarding.

Note, those are *apps* not kerberos supplying those. Use a kerberized
ssh and you have no need for telnet, ssh, ftp, rlogin. rcp, et al..

And on top of it you get all the other nice things that SSH does. Mayeb
it's me but I don't consider being able to log into a remote machine,
launch a graphical app and have it display on my screen weird. Even if
that machine is through several other "hops" of machines. I also don't
consider scp and sftp weird. Nor do I consider beign able to use command
line completion over an scp link weird. Maybe you do. So be it. But
then, maybe we should just consider each other weird then. ;^)

but again, "well if you don't count those other things, this does
everything that other thing does" is not exactly intellectually honest.
After all ... if you don't consider all exploits, holes, and insecure
settings and design choices of Windows, it's just as secure as Linux. Or
if you took away all the oppressive laws of Iran it's just as free as
the US.

Kerberos and SSh are not the same, and do not provide the same things,
thus they are not replacements for each other. Unless, of course, you
want to split hairs over the meaning of "is". ;)



-- 
Bill Anderson
RHCE #807302597505773
bill at noreboots.com







More information about the fedora-devel-list mailing list