On Sat, Aug 30, 2008 at 05:46:16PM +0200, Peter Palfrader wrote: > On Sat, 30 Aug 2008, Bastian Blank wrote: > > On Sat, Aug 30, 2008 at 02:32:08PM +0200, Peter Palfrader wrote: > > > The crypto stuff could be alleviated by using ipsec between all our > > > servers. But that works even less well than you'd expect. > > The machines needs to check DNSSEC or the names can be spoofed which > > makes ipsec mood. > Or you use only resolvers that you have a trusted (i.e. ipsec) > connection to and those need to have a complete axfr'ed zone.
Then we can drop the whole ud-ldap thing and use centralized authentication. > > > What other options did we forget? > > > > - Setup Kerberos, allow it as an additional ssh login variant > > Circumvents the entire idea behind this exercise: Assuming an attacker > already has control over one host we want to make it as hard as possible > for them to jump to other hosts. Nope. It is the same that ssh with key auth. Anything an attacker can get is a short-term secret in form of a forwarded ticket. The service ticket themself is useless for anything else then the direct connection between the user and the server. Bastian -- Too much of anything, even love, isn't necessarily a good thing. -- Kirk, "The Trouble with Tribbles", stardate 4525.6 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]