Kerberos and SSH solve similar problems but are quite different in scope. SSH is lightweight and easily deployed, designed to work on existing systems with minimal changes. To enable secure access from one machine to another, simply install an SSH client on the first and a server on the second, and start the server.
Kerberos, in contrast, requires significant infrastructure to be established before use, such as administrative user accounts, a heavily secured central host, and software for networkwide clock synchronization.
SSH sends passwords across the network over encrypted connections, of course on each login and stores keys on each host from which SSH is used. Kerberos also serves other purposes beyond the scope of SSH, including a centralized user account database, access control lists, and a hierarchical model of trust. Another difference between SSH and Kerberos is the approach to securing client applications. Kerberos, on the other hand, contains a set of programming libraries for adding authentication and encryption to other applications.
Developers can integrate applications with Kerberos by modifying their source code to make calls to the Kerberos libraries. This is a lower level of the network stack than SSH addresses. IPSEC can securely connect a single machine to a remote network through an intervening untrusted network such as the Internet , or it can connect entire networks this is the idea of the Virtual Private Network, or VPN.
It is specifically an authentication protocol, whereas SSH comprises authentication, encryption, integrity, session management, etc. The design goal of SRP is to improve on the security properties of password-style authentication, while retaining its considerable practical advantages. You have to carry your private key on a portable storage device and hope that you can get the key into whatever machine you need to use.
For everyone else who needs to understand the often-undocumented inner-workings of SSH, this book is required reading. The company's books, conferences, and web sites bring to light the knowledge of technology innovators. O'Reilly books, known for the animals on their covers, occupy a treasured place on the shelves of the developers building the next generation of software.
O'Reilly conferences and summits bring alpha geeks and forward-thinking business leaders together to shape the revolutionary ideas that spark new industries.
From the Internet to XML, open source,. Please enter your comment! Please enter your name here. You have entered an incorrect email address! Follow Us! Latest Books. Articulate Storyline Essentials 18 June Beginning SharePoint Development 18 June For security, a key is kept encrypted; it may be used only after entering a secret passphrase to decrypt it. Using keys, together with a program called an authentication agent , SSH can authenticate you to all your computer accounts securely without requiring you to memorize many passwords or enter them repeatedly.
It works like this:. In advance and only once , place special, nonsecure files called public key files into your remote computer accounts.
These enable your SSH clients ssh , scp to access your remote accounts. On your local machine, invoke the ssh-agent program, which runs in the background. Load the keys into the agent with the ssh-add program.
At this point, you have an ssh-agent program running on your local machine, holding your secret keys in memory. You have passwordless access to all your remote accounts that contain your public key files. Say goodbye to the tedium of retyping passwords! The setup lasts until you log out from the local machine or terminate ssh-agent.
Suppose you want to permit another person to use your computer account, but only for certain purposes. With SSH, you can give your secretary access to your account without revealing or changing your password, and with only the ability to run the email program. No system-administrator privileges are required to set up this restricted access. This topic is the focus of Chapter 8. Port forwarding can also pass such applications through network firewalls that otherwise prevent their use.
0コメント