On Tue, Nov 26, 2013 at 6:51 AM, Timothy Murphy <gayleard(a)eircom.net> wrote:
James Hogarth wrote:
>> At the moment I'm not clear what advantage keytabs have.
>> I do not have to login after "ssh -Y ..."
>> as I have appended id_rsa.pub to known_hosts in each direction.
> Keytabs are like a filebased password that the machine uses to
> authenticate to the directory server in order to validate that the token
> you provide is indeed valid.
>
> Without a proper kerberos infrastructure (keytabs on machines, PTR records
> in place, time consistent, etc etc) GSSAPI for SSH/HTTP/etc will not work.
You have not said what advantage this would have.
The big advantage is that if you have a kerberos authentication system
in place then ssh can use it in a natural way. If you don't have one
then there is substantial cost to set one up.
As far as I can see, openssh changed the default setting
(in /etc/ssh/ssh_config) to make GSSAPIAuthentication first choice.
However, neither Fedora nor CentOS seem to have implemented
the necessary steps to make this usable.
Would it be likely to cause any problems
if one reverts to the default setting (GSSAPIAuthentication no)?
If you don't use kerberos or any other authentication system that
supports GSSAPI then there is no reason to have GSSAPIAuthentication
enabled. I don't see how it hurts anything to leave it enabled either
though.
John