Since Fedora is not aimed at enterpise/business ..

Bill Anderson bill at noreboots.com
Thu Oct 2 15:11:03 UTC 2003


On Wed, 2003-10-01 at 15:51, Dax Kelson wrote:
> On Wed, 2003-10-01 at 15:03, Bill Anderson wrote:
> > ng able to do secure network-wide single sign-on is a cool feature!
> > 
> > So is socksified ssh, but we don't get that! I assert that more people
> > use/need that than K support. Heck, nearly every single on of us at HPAQ
> > need it. Not even runsocks is available unless we go elsewhere. And no,
> > Kerberos won't solve that, ;^)
> 
> Funny you mention that. I've been thinking about filing an RFE bug about
> that very topic.

Good luck. Seriously.

> > "SSH is no replacement for Kerberos"
> > Agreed. But then again, you can reverse that statement with no change in
> > truth. Kerberos is not a replacement for SSH either.
> 
> I disagree. I assert that in an kerberized intranet environment there is
> little to no need for SSH.

Kerberos does not do X11-forwarding, for example. Nor does Kerberos
provide remote file copying (such as sftp and scp). Kerberos is
authentication. SSH while possessing strong authentication is more than
an authentication architecture. Thus, they are *different* and serve
*different* purposes.


> Modulo all the wacky port-forwarding stuff and connecting to remote
> internet sites, Kerberos does provide the main feature of SSH, namely:

Remove from app A what B doesn't do and call it the same? They do the
same thing if you don't count the things they don't both do??? Sure, I
see that. My Corvette can replace my Durango if you don't count that
wacky 7 passenger seating, 4wd, lots of ground clearance, more expensive
insurance, and significantly higher cargo capacity the Durango has/does.

The main feature of SSH is that I can establish a secure connection from
point a to point b, more than just secure authorization but having the
entire session encrypted. Kerberos does not do that. It was not designed
to. As I've said, Kerberos can be used to provide the authentication
mechanism for SSH. This should be a hint that they are not replacements
for each other. Indeed, one could have an SSH kerberized intranet that
uses SSH as the remote login facility! I'd argue that SSH would be a
massive need in that environment. To compare them is to compare apples
to buffets.

My point was that K and SSH are *not* replacements for each other. It
still stands. They are different things with different purposes.

-- 
Bill Anderson
RHCE #807302597505773
bill at noreboots.com







More information about the fedora-devel-list mailing list