Le 20/02/2024 à 10:53, Lars Noodén via Dng a écrit :
> On 2/19/24 18:52, Vince Mulhollon wrote:
> [snip]> The configs linked above assume the use of forwarded X11 (a local
>> requirement) and permit SSO using Samba-based active directory
>> authentication and are intended for internal use only; you could make
>> something exposed to the internet somewhat more secure.  For example I
>> would not put "PermitRootLogin yes" in the sshd of a host out on the
>> net.
> [snip]
>
> Thanks for the examples and commentary.  It is useful for me to see the
> actual local customizations based on what is actually out there. I used
>  to know a place using Kerberos with SSH.

    I used to also, in two places. Kerberos is very secure in
particular because the authentication is made by a dedicated host (the
KDC, AFAIR) to which nobody has access, except the kerberos admin, and
both the user and the host get authenticated. Kerberos authentication
can also go through GSSAPI, which, I remember was difficult to get
working, but is more comfortable to users because their "ticket" (or
maybe "token", I don't remember) can be reused during its lifetime
without sending again a username and password. Kerberos is also usable
in web servers, Nginx at least. It's a system for large organizations
because it takes a lot of work to deploy and maintain.

--     Didier