top | item 24604180

(no title)

tha0x5 | 5 years ago

Kerberos (sssd-ad) backed authentication for SSH is really the best.

You no longer have to deal with SSH keys whatsoever and all the management that goes with them: When users get their access revoked on AD, they get their SSH access revoked as well. You can have group based authorization (only those in the SRE group can access this class of QA endpoints), so when dozens of people a month are being added and removed from the various groups, you don't have to worry about giving them keys/access. They can SSO from their laptops, so all they have to do is open PuTTY and they can connect away without even typing their usernames and passwords. etc.

Lots of these new generation "devops" and "full-stack developers" haven't had the experience of AD and Kerberos, so they spend all this time, blog posts, money, etc. to reinvent the wheel.

Sad really.

discuss

solatic|5 years ago

That's great until you work for a company that bought Macs for everyone for their design and upper-management likes to keep it that way.

GekkePrutser|5 years ago

You can do it on Mac. I wouldn't recommend binding Macs anymore since Apple broke filevault for AD accounts in high Sierra (AD accounts don't get the secure token by default which is needed to unlock the drive)

But since Catalina there's now a great Kerberos SSO plugin that you can push through MDM. Previously this was known as enterprise connect but only available from Apple professional services.