krb5 support

Dug Song dugsong at monkey.org
Thu Dec 2 16:22:41 EST 1999


On Thu, 2 Dec 1999, Damien Miller wrote:

> This patch seems to use the same CMSG type as the KRBIV support
> currently in OpenSSH. Would it be better to recommend to the author
> that he defines a new CMSG for KRBV instead?

actually, in the mainline ssh-1.2.27 code, the KERBEROS protocol messages
are for Kerberos v5 - my original Kerberos v4 patches weren't integrated
(they originally had dependencies on AFS, etc.).

it would be nice if we could do some magic to determine the version of
Kerberos being used automatically, based on ticket contents. i'm sure this
is possible (perhaps just using pvno in AP_REQ messages), i haven't looked
too deeply into it yet. i'll try to take a look at this soon.

> Around this issue: what is the policy for defining new message types
> in the future?

imo, i don't think we should be extending the protocol at all. the only
exception i could see to that would be GSS-API support, which would
(theoretically, anyhow) be the last security flavor we'd ever have to add
(too bad it's so unwieldy and relatively unused).

-d.

---
http://www.monkey.org/~dugsong/







More information about the openssh-unix-dev mailing list