Almost forgot, //Sorin:
SSL uses public key cryptography:
1. You (or your browser) has a public/private keypair 2. The server has a public/private key as well 3. You generate a symmetric session key 4. You encrypt with the server's public key and send this encrypted session key to the server. 5. The server decrypts the encrypted session key with its private key. 6. You and the server begin communicating using the symmetric session key (basically because symmetric keys are faster).
Kerberos does not use public key cryptography. It uses a trusted 3rd party. Here's a sketch:
1. You both (server and client) prove your identity to a trusted 3rd party (via a /secret/). 2. When you want to use the server, you check and see that the server is trustworthy. Meanwhile, the server checks to see that you are trustworthy. Now, mutually assured of each others' identity. You can communicate with the server.
I'm always nervous about 'trusted third parties..' Can you imagine.. That's what holds our credit cards and such, like, um, at Target.. the trusted 'third-party...' Damn, people really go for that??? See, it's a hard call, isn't it??
// weigh it all out... // and make sure you get buy in and put the DISCLAIMERS in your documentation and on the Wiki's because it will come back to you at some point ..... if it ever goes down...
BEWARE of anything related to Security solutions on the Net -- because most don't have more than three or four years experience. Most.
~ later.
j/h
On 1/29/2014 1:49 AM, Sorin Srbu wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jeffrey Hass Sent: den 29 januari 2014 09:49 To: CentOS mailing list Subject: Re: [CentOS] NIS or not?
Good call - not sure how far your coding goes and with what/how languages and scripts... Make sure to have as much as possible on VM's related to your security 'servers' -- so that you also get a virtual built in Disaster recovery as well.
My Google Fu is usually okay. ;-)
We've started offing physical servers in favour of virtual ones. So far mostly Windows servers, but I've started testing e.g. Owncloud on a virtualized CentOS guest. More Linux-machines are likely to be virtualized in due time. We (well, I actually...) decided on standardizing on Hyper-V as there was a really good P2V-tool available for migrating Windows servers. We had lots of them...
Note: I didn't catch it are you using the Microsoft's implementation of Kerberos?
We do have a Windows AD in place, it's the main IT here, but it's soon to be migrated to the central university IT-dept. One less thing to worry about... *nix was originally only a group-business at the dept., but over the years the Linux-ratio has upped considerably, what with backup-servers etc. running on Linux as well as us affording more machines for the original CADD-group.
There's a reason I ask, you said you need to do something,, sounds like fairly quick, probably a good thing, if nothing else get centralization = control! - more so -- than before ~ and so it goes, you will have encapsulated tickets on steroids, to be sure.. but if you're the only person.. is your shop that big that SSL wouldn't do the trick?
SSL? How do you mean? Can you elaborate a bit?
-- //Sorin
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos