[Bug 1312] Add short command-line option -K for activating GSSAPIDelegateCredentials
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sun May 6 22:36:38 EST 2007
http://bugzilla.mindrot.org/show_bug.cgi?id=1312
Summary: Add short command-line option -K for activating
GSSAPIDelegateCredentials
Product: Portable OpenSSH
Version: 4.4p1
Platform: All
OS/Version: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: Kerberos support
AssignedTo: bitbucket at mindrot.org
ReportedBy: Markus.Kuhn at cl.cam.ac.uk
I would like to propose the addition of a new command-line option to
the OpenSSH client program "ssh":
-K Enables both GSSAPI authentication and forwarding of
GSSAPI credentials to server (equivalent to options
GSSAPIAuthentication=yes and GSSAPIDelegateCredentials=yes)
Reason:
When logging in to servers that use Kerberized NFS, it is not possible
to use publickey authentication, because ~/.ssh/authorized_keys is not
available at the time of login. In such environments, which become
increasingly common due to security worries about the risks of
unauthenticated NFS, GSSAPI/Kerberos has to be used both to
authenticate the login and to enable the server to access my home
directory. In such an environment, the two command-line options
-o GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=yes
are practically as important as, for example, -X for forwarding X11.
Unfortunately, there exists currently no convenient short command-line
option to activate this function. What I propose is basically the
Kerberos equivalent of the two X11-forwarding options -x (disable) and
-X (enable). The option -k (disable Kerberos ticket forwarding) does
already exist, so adding -K (enable Kerberos forwarding) is the obvious
and intuitive choice here.
Like with X11 forwarding (-X), there may be good security reasons for
not enabling Kerberos ticket forwarding by default, therefore it would
be very useful to have a -K to enable Kerberos ticket forwarding on
demand only where it is appropriate.
Since Kerberos-based authentication is much faster than public-key
based authentication, wherever someone is interested in forwarding a
Kerberos ticket to a server, they will almost certainly also prefer to
use that ticket for login authentication as well. This is why I propose
that -K should enable *both* GSSAPIAuthentication=yes and
GSSAPIDelegateCredentials=yes. I can't see a common scenario where you
would want to have the latter without the former.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list