- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Kerberos and ssh
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-05-2005 01:54 AM
тАО12-05-2005 01:54 AM
We are implementing SSH on HP-UX servers. My understandig is that ssh will allow to send both the data and the passwords in encrypted format. If ssh-2 version is enabled than ssh will use kerberos5 as authentication method. What ssh uses by default, /ets/passwd? Does the password sent encrypted?
We also want to tunnel X-Windows (CDE) through SSH, to secure connections between PC and Unix servers.
I wonder if we do all of the above, what will be the advantages in setting up Unix hosts as clients in a Windows 2003 Active Directory domain OR in setting up a cross-realm trust between a Unix Kerberos realm & Active Directory?
Thank you for sharing your thoughts.
Elena.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-05-2005 02:54 AM
тАО12-05-2005 02:54 AM
Re: Kerberos and ssh
Passwords are encryupted or passed as data
in an encrypted channel.
The advantage of configuring as a client
to Windows 2003 Active Directory is
the ability to change the password in one
location.
Disadvantages:
- All windows users have access to Unix.
- Security problems introduced by single password.
- UID mapping issues between Windows and Unix.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-05-2005 02:56 AM
тАО12-05-2005 02:56 AM
SolutionPasswords are encryupted or passed as data
in an encrypted channel.
The advantage of configuring as a client
to Windows 2003 Active Directory is
the ability to change the password in one
location.
Disadvantages:
- All windows users have access to Unix.
- Security problems introduced by single password.
- UID mapping issues between Windows and Unix.
If you want your Windows users to have
simpler access to Unix, consider using
ssh key files and avoid the login.
This allows access to be controlled quite
effectively.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-05-2005 03:23 AM
тАО12-05-2005 03:23 AM
Re: Kerberos and ssh
By default ssh will always encrypt passwords, whether it be ssh1 or ssh2 mode.
There are advantages and disadvantages of the various solutions in the last paragraph.
Unix can be upgraded to Kerberos v5 and work quite well with Windows 2003 Active Directory. Kerberos can be used across the organization and servers.
I'm not a big fan of using Microsoft this way, but this seems to be a rare chance to do both.
Sorry for the post gap, got called away mid type.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-05-2005 07:28 PM
тАО12-05-2005 07:28 PM
Re: Kerberos and ssh
final goal:
all non-system users managed centraly in the active directory
kerberos for authentication
authorisation info stored in active directory
almost ready for implementation:
kerberos authentication (towards AD KDC)
-users are still created on UX host but left disabled (active in AD): meaning authorisation is still locally
-users can only login using their windows passwd (kerberos) when using ssh: defined in pam.conf
-root is explicitly excluded from kerberos authentication: pam_user.conf. Note: should also be done for the other system accounts, unless you also manage the ADStill Issue to be solved: ssh key-based authentication: needed for batch users (also stored in AD) but should be prohibited for normal users as key-based logon is still possible even if the account is dissabled in AD: bad integration PAM-kerberos-SSH
Next steps to be done: complete integration with AD
-Since Win2003 RC2: Posix scheme (RFC2307) should be standard in AD
-Authorisation on unix done by logonscript using netgroups
Note: LDAPUX client isn't yet ready as it still uses the MSSFU and AD needs a proxy-user (can be changed in AD butperhaps prohibited by your local security rules)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-05-2005 07:41 PM
тАО12-05-2005 07:41 PM
Re: Kerberos and ssh
Standard keys never expire
You cannot prevent users having a blank passphrase
SSH is now one of the most attacked protocols, therefore if users are not choosing adequate passphrases, or not adequately protecting their keys, then you are asking for trouble.
There are ways around this, however it requires thought and planning.