- - critical vulnerabilities are frequently discovered in the MIT Kerberos
software, while SSH has had very few serious security issues, and none
recently.
I didn't know that, tbh. I've used krb5 somewhere else for a while now, and no break-ins.
- - Kerberos only works with password authentication, meaning anyone can log into
any account if they know the password; for example, because someone
accidentally typed their password into IRC, or wrote it down somewhere.
strong password policy requires restrictions on password contents (length,
character types, etc) that encourage users to write them down (especially
when you have a lot of non-technical users, like us)
This is the main problem. However "a lot of non-technical users, like us" is untrue.
- - conversely, it is very difficult to accidentally paste a private key
somewhere, and it's impossible to guess. even if it was leaked, the user
would also have to leak the passphrase.
I doubt many people here use passphrases
Kerberos was just an example, btw. I was just suggesting the idea of using a centralized auth system.
Fahad Sadah