On Wed, 2004-12-08 at 18:32, James Marcinek wrote:
> - While I could create ssh keys for each user (and then initiate using the -i
> option), this would require administrative overhead with the add/delete of
> user's, so while this is possible it isn't as practical as we would like.
If you have an ADS or, better yet, ADS-2003 domain, don't forget you
_can_ create a Kerberos realm (one-way transitive trust) and leverage
Kerberos ticketing for your SSH authentication.
Most distros today ship a Kerberosized SSH client.
-- Bryan
P.S. I don't advocate ADS-based Kerberos. The concept of running RPC
services on the same system as KDC(s) (which ADS DCs do) is a
mega-security no-no in my book. But if you've already got ADS in place,
and you don't have a Kerberos realm setup, you might as well leverage
it.
-- Bryan J. Smith b.j.smith@ieee.org ------------------------------------------------------------------ Beware of advocates who justify their preference not in terms of what they like about their "choice," but what they did not like about another option. Such advocacy is more hurtful than helpful.----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:28:25 EDT