North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Best practices inquiry: tracking SSH host keys
On Fri, Jul 07, 2006 at 10:18:35AM -0400, David Nolan wrote: > --On Thursday, July 06, 2006 18:22:48 -0700 Jeremy Chadwick > <nanog@xxxxxxxxxxxxxxxx> wrote: > > >Speaking purely from a system administration point of view, Kerberos > >is also a nightmare. Not only does the single-point-of-failure > >induce red flags in most SAs I know (myself included), > > If a deployed kerberos environment has a single point of failure then its > been deployed poorly. Kerberos has replication mechanisms to provide > redundancy. The only think you can't replicate in K5 is the actual master, > meaning that if the master is down you can't change passwords, create > users, etc. While thats a single point of failure its not typically a > real-time critical one. Furthermore, it isn't impossible to design a multi-master Kerberos service. I can think of a number of designs, but it would have to be done carefully. I've heard people talking about this in the past, but I haven't yet seen any implementations. --Shumon.