FAQ

How secure is storing the private key at the server side?

In principle, private key, encrypted by passphrase (3DES), does not differ from storing password in LDAP or UNIX systems. According to our long experience, PKI keys managed centrally are far more secure concept than environment, where users generate keys and keep them on their hard drives.

What identity management applications can KDM be connected to?

At present, we have prepared connectors for SUN Identity Manager 7.x and Oracle Waveset. It is possible to connect to any identity manager via a developed connector that will call saved shell/Perl scripts.

What Linux/UNIX systems can be managed through KDM?

The following systems have been verified and tested:

  • Red Hat Enterprise Linux
  • IBM AIX
  • HP-UX
  • SUSE Linux
  • Solaris

Is it possible to control Windows operating systems through KDM?

No, Windows OS cannot be controlled through KDM. However, users can access KDM from within both Windows and UNIX/Linux environments.

Is it possible to use diceware to generate passphrases for keys?

Yes, KDM can be configured in such a way that passphrases for keys are generated automatically based on a diceware dictionary.

Are all KDM-executed changes logged by KDM? Can monitoring be added to such a log?

Yes, all changes executed by KDM are logged in a KDM audit log and saved in a file system. KDM logs can be opened with standard monitoring devices such as enVision and Nagios.

How many end users is KDM suitable for?

User administration and authentication in UNIX and Linux operating systems are specific in that the number of users who have very high privileges is quite small. On the other hand, the number of servers is usually quite high (from tens to hundreds of servers). KDM is capable of managing hundreds, even thousands, of UNIX servers, depending on the hardware used and on the number of users.

What SSH clients does KDM support?

KDM supports clients and agents that comply with the OpenSSH standard. In the Windows environment, these are programs such PuTTY and WinSCP. We recommend Pageant software as the SSH-agent.

What is the difference between KDM and the kerberization of UNIX systems?

KDM and Kerberos technologies are similar to a large extent. They are both based on the issuing of private keys/tickets from a central authority. The most well-known Kerberos server is Microsoft Active Directory, but open source products are also available.

KDM

  • Authentication to KDM through PAM modules, thus enabling multi-factor authentication.
  • Higher security of encryption (RSA + AES) and PKI infrastructure in general.
  • The management of the lifecycles of user identities.
  • The automatic setting of end servers and the possibility to supervise/monitor their configuration.

Kerberos

  • The necessity to 'kerberize' end systems, and high dependence on a central element even when logging into end systems.
  • Authentication only through a password.
  • Lower encryption security.
  • A password serving as a primary encryption key (a danger when a password is stolen).
  • Not possible to manage user identities.

[ ↑ k obsahu ↑ ]