Kerberos V5 integration

Dug Song dugsong at monkey.org
Sun May 21 03:15:01 EST 2000


On Sat, 20 May 2000, Simon Wilkinson wrote:

> I've taken the original patches and updated then to the OpenSSH portable
> 2.1.0 release, replaced the calls to Heimdal specific routines, so it
> builds with the MIT libraries as well, and bug fixed a number of problems
> with the code.

be very careful here.

i've not looked at heimdal, but the MIT krb5 code has historically had
very bad interactions with the ssh-1.2.2x implementation, such that an
unprivileged user could manually set their KRB5CCNAME environment variable
to use someone else's ticket file, and the setuid root ssh client would
happily comply (which is why tatu disabled krb5 support in the official
distribution). let me know if this still works? :-)

the KTH krb4 library used to provide krb4 support for ssh/OpenSSH never
had this problem, as they make an explicit check for the setuid root case.

we also need to find a way to make krb4 and krb5 support interoperate. in
my original krb4 patch, i added version information to the ticket
encoding, which glenn machin didn't use in his krb5 port to distinguish
Kerberos types. we may be able to support both versions with a simple
failover instead.

-d.

---
http://www.monkey.org/~dugsong/






More information about the openssh-unix-dev mailing list