[Bug 1312] Add short command-line option -K for activating GSSAPIDelegateCredentials

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sun May 6 22:36:38 EST 2007


http://bugzilla.mindrot.org/show_bug.cgi?id=1312

           Summary: Add short command-line option -K for activating
                    GSSAPIDelegateCredentials
           Product: Portable OpenSSH
           Version: 4.4p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Kerberos support
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: Markus.Kuhn at cl.cam.ac.uk


I would like to propose the addition of a new command-line option to
the OpenSSH client program "ssh":

  -K  Enables both GSSAPI authentication and forwarding of
      GSSAPI credentials to server (equivalent to options
      GSSAPIAuthentication=yes and GSSAPIDelegateCredentials=yes)

Reason:

When logging in to servers that use Kerberized NFS, it is not possible
to use publickey authentication, because ~/.ssh/authorized_keys is not
available at the time of login. In such environments, which become
increasingly common due to security worries about the risks of
unauthenticated NFS, GSSAPI/Kerberos has to be used both to
authenticate the login and to enable the server to access my home
directory. In such an environment, the two command-line options

  -o GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=yes

are practically as important as, for example, -X for forwarding X11.
Unfortunately, there exists currently no convenient short command-line
option to activate this function. What I propose is basically the
Kerberos equivalent of the two X11-forwarding options -x (disable) and
-X (enable). The option -k (disable Kerberos ticket forwarding) does
already exist, so adding -K (enable Kerberos forwarding) is the obvious
and intuitive choice here.

Like with X11 forwarding (-X), there may be good security reasons for
not enabling Kerberos ticket forwarding by default, therefore it would
be very useful to have a -K to enable Kerberos ticket forwarding on
demand only where it is appropriate.

Since Kerberos-based authentication is much faster than public-key
based authentication, wherever someone is interested in forwarding a
Kerberos ticket to a server, they will almost certainly also prefer to
use that ticket for login authentication as well. This is why I propose
that -K should enable *both* GSSAPIAuthentication=yes and
GSSAPIDelegateCredentials=yes. I can't see a common scenario where you
would want to have the latter without the former.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


More information about the openssh-bugs mailing list