<div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
- - critical vulnerabilities are frequently discovered in the MIT Kerberos<br>
software, while SSH has had very few serious security issues, and none<br>
recently.</blockquote><div> </div><div>I didn't know that, tbh. I've used krb5 somewhere else for a while now, and no break-ins. <br><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
- - Kerberos only works with password authentication, meaning anyone can log into<br>
any account if they know the password; for example, because someone<br>
accidentally typed their password into IRC, or wrote it down somewhere.<br>
strong password policy requires restrictions on password contents (length,<br>
character types, etc) that encourage users to write them down (especially<br>
when you have a lot of non-technical users, like us)<br>
</blockquote><div><br>This is the main problem. However "a lot of non-technical users, like us" is untrue.<br></div><div> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
- - conversely, it is very difficult to accidentally paste a private key<br>
somewhere, and it's impossible to guess. even if it was leaked, the user<br>
would also have to leak the passphrase.<br>
</blockquote><div><br>I doubt many people here use passphrases <br></div><div> <br>Kerberos was just an example, btw. I was just suggesting the idea of using a centralized auth system.<br><br>Fahad Sadah<br></div></div>