Alternatives to Kerberos for passwordless server access
I have a bunch of Linux servers and three Windows servers 2008 R2. I would need a solution which would enable passwordless SSH login from each of those servers to all others. I could do this by generating keys on all machines and distribute them to all other servers, but this solution have low scalability. Whenever I add a server, I have to distribute it's key to all servers. Therefore I'd need a solution to centraly administer key and access to ALL servers.
Is KERBEROS a way to go for me? Does anyone know of any silimlar or better solution on Linux? Thanks.
Solution 1:
Kerberos is the best option, but you probably don't want to set it up by hand. It has a lot of moving parts and is easy to get something wrong.
Instead, you should set up a domain and join all of the computers to the domain.
You have three options for setting up a domain for this environment:
- FreeIPA. This is well supported in Linux, especially Red Hat-derived distributions, though it's also available in other distributions. This is your best choice if all or almost all of the computers run Linux; and the few Windows computers can be made to join the domain with a little work.
- Active Directory. The venerable Windows-based domain controller, which is your best choice if most of the computers run Windows.
- Both FreeIPA and Active Directory. If you have a mixed environment, you may wish to run FreeIPA to manage your Linux systems and Active Directory to manage your Windows systems, with appropriate cross-domain trusts between them.
- Samba 4 pretending to be Active Directory. You will often see this in mixed environments, or in places where someone didn't approve the budget for a Windows license to set up AD. It should be evaluated carefully as it may not support all features of modern AD functional levels.
In all cases Kerberos will be used underneath; but you don't usually have to worry about the details, as they are handled for you.
Solution 2:
Kerberos is the best option for this. Is supported in nearly every distro of Linux, Windows since 2000, and Mac since 10.2. It's relatively simple to setup if you already have an existing Windows domain infrastructure. If you do, just Google the name and version of your distro and "kerberize".