Linked by Amjith Ramanujam on Thu 11th Sep 2008 14:32 UTC, submitted by M-Saunders
General Unix A lazy sysadmin is a good sysadmin. Time spent in finding more-efficient shortcuts is time saved later on for that ongoing project of "reading the whole of the internet", so try Linux Format's 10 handy tips to make your admin life easier.
Permalink for comment 330371
To read all comments associated with this story, please click here.
RE: Single Sign On
by Murrell on Tue 16th Sep 2008 00:55 UTC in reply to "Single Sign On"
Murrell
Member since:
2006-01-04

Because using Kerberos (which, for better or worse, is still the only real SSO solution in town) means that you don't have passwords flying around the network. Mail server gets compromised? Oh, now the cracker has access to all the user accounts who pick up their mail, including the sysadmins. A developer forgot to SSL encrypt all his HTTP traffic? Oops, now passwords are open to being sniffed. Password saved in plaintext on stolen laptop?

The other option is to have individual password databases on each machine. Then people start using ssh-rsa keys and other work arounds, using the default password, and/or same password in multiple locations and never change it. Furthermore, you then lose the ability to universally lock out an account network wide.

Also, Kerberos also lets you authenticate the service to the end user, so if a server's IP is hi-jacked, the user will know.

Yes, your admins should probably have a separate account for doing admin work, but that's an entirely different state of affairs. For all your every day users, SSO, a good screen lockout policy, and the occasional use of http://www.lockyourpc.com/ as a LART tool will are a much better security option.

Reply Parent Score: 1