Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

And here I am, logging into Linux boxes without entering passwords nor SSH keys thanks to the magic known as Kerberos.

Open up my corporate laptop and login with my smart card and username/pass combo, then I can just log into any Linux machine I have authorization (group permissions) to. Been doing it this way for over a decade at this rate.

It's like all of these password manager tools were created by people who've never seen nor used these existing solutions.



Lol. Kerberos? Smart cards!? What if I have less than a full team of full time employees able to be put aside to implement a solution? I, as a developer, could integrate 1Password’s solution in my org in an afternoon. Enterprise tooling isn’t for everybody. That approach is what gave us the needless proliferation of Kubernetes.


>Kerberos?

Yes?

>Smart cards!?

Yes!? Or a YubiKey.

>What if I have less than a full team of full time employees able to be put aside to implement a solution?

This used to be something a middling UNIX sysadmin could configure and manage. You can also pay for someone to help you implement/manage a solution for this. Though I admit it may be overkill.


> It's like all of these password manager tools were created by people who've never seen nor used these existing solutions.

Maybe, but it sounds like your comment was written from a place where you've never had to actually implement one of those existing solutions.

Kerberos is great. It's also a holy terror to implement properly, especially cross-platform, and especially if you need to federate identity.

I've been down that path. While there are trade-offs with any decision, I wholly understand why so many organizations are going to solutions like Okta/Auth0 + Duo + password managers vs the "tried and true" methods of a directory server + Kerberos + SAML federation through Shibboleth

SCIM combined with modern cloud SSO makes life much easier than trying to support Kerberos.


>Maybe, but it sounds like your comment was written from a place where you've never had to actually implement one of those existing solutions.

I absolutely have implemented the aforementioned solution. Used to be a right of passage for middling UNIX syaadmins.

>Kerberos is great. It's also a holy terror to implement properly, especially cross-platform, and especially if you need to federate identity.

Not really, especially not really if you Active Directory.

>SCIM combined with modern cloud SSO makes life much easier than trying to support Kerberos.

SCIM with Active Directory (AKA Kerberos) works well.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: