Kerberos password authentication and SSH2
Kevin Sullivan
ksulliva at psc.edu
Fri Jan 12 09:36:36 EST 2001
On Thu, 11 Jan 2001 22:45:19 +0100, Markus Friedl says
>you cannot remove this code and expect to automagically
>get a full implementation of kerberosIV + SSH2.
I understand that. The only piece I really care about is when you type in
a password, the server checks against the Kerberos database in addition to
/etc/passwd, and issues an AFS token if possible. This works by removing
the 4 lines of code.
The other kerberos features are cool and useful, but I can live without
them. My main concern is people with Windows boxes who only have a SSH2
client.
>until recently, there was no spec for kerberos over SSH2.
>but perhaps kerberos-password authentication works, this needs
>to be tested...
One data point: it works for me. Hmmm, I do see one problem if you have
AFS. In SSH1 you'll get a new pag, but not with SSH2. The k_setpag() code
from auth1.c needs to be in auth2.c. I've appended a patch. Whether or
not you delete the kerberos-disabling code, you should add the k_setpag
code or else someone logging in may get more privs than they expect!
-Kevin
--- auth2.c.orig Thu Jan 11 17:23:48 2001
+++ auth2.c Thu Jan 11 17:24:06 2001
@@ -129,8 +129,12 @@
x_authctxt = authctxt; /*XXX*/
-#ifdef KRB4
- /* turn off kerberos, not supported by SSH2 */
- options.kerberos_authentication = 0;
-#endif
+#ifdef AFS
+ /* If machine has AFS, set process authentication group. */
+ if (k_hasafs()) {
+ k_setpag();
+ k_unlog();
+ }
+#endif /* AFS */
+
dispatch_init(&protocol_error);
dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 284 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010111/d5e8b7eb/attachment.bin
More information about the openssh-unix-dev
mailing list