On Tue, Nov 26, 2013 at 6:51 AM, Timothy Murphy <gayle...@eircom.net> wrote: > James Hogarth wrote: > >>> At the moment I'm not clear what advantage keytabs have. >>> I do not have to login after "ssh -Y ..." >>> as I have appended id_rsa.pub to known_hosts in each direction. > >> Keytabs are like a filebased password that the machine uses to >> authenticate to the directory server in order to validate that the token >> you provide is indeed valid. >> >> Without a proper kerberos infrastructure (keytabs on machines, PTR records >> in place, time consistent, etc etc) GSSAPI for SSH/HTTP/etc will not work. > > You have not said what advantage this would have.
The big advantage is that if you have a kerberos authentication system in place then ssh can use it in a natural way. If you don't have one then there is substantial cost to set one up. > As far as I can see, openssh changed the default setting > (in /etc/ssh/ssh_config) to make GSSAPIAuthentication first choice. > However, neither Fedora nor CentOS seem to have implemented > the necessary steps to make this usable. > > Would it be likely to cause any problems > if one reverts to the default setting (GSSAPIAuthentication no)? If you don't use kerberos or any other authentication system that supports GSSAPI then there is no reason to have GSSAPIAuthentication enabled. I don't see how it hurts anything to leave it enabled either though. John -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
