Kerberos password authentication and SSH2

Hans Insulander hin at stacken.kth.se
Sat Jan 13 03:26:12 EST 2001


Kevin Sullivan <ksulliva at psc.edu> writes:

> On Thu, 11 Jan 2001 22:45:19 +0100, Markus Friedl says
> >you cannot remove this code and expect to automagically
> >get a full implementation of kerberosIV + SSH2.
> 
> I understand that.  The only piece I really care about is when you type in
> a password, the server checks against the Kerberos database in addition to
> /etc/passwd, and issues an AFS token if possible.  This works by removing
> the 4 lines of code.
> 
> The other kerberos features are cool and useful, but I can live without
> them.  My main concern is people with Windows boxes who only have a SSH2
> client.  
> 
> >until recently, there was no spec for kerberos over SSH2.
> >but perhaps kerberos-password authentication works, this needs
> >to be tested...
> 
> One data point: it works for me.  Hmmm, I do see one problem if you have
> AFS.  In SSH1 you'll get a new pag, but not with SSH2.  The k_setpag() code
> from auth1.c needs to be in auth2.c.  I've appended a patch.  Whether or
> not you delete the kerberos-disabling code, you should add the k_setpag
> code or else someone logging in may get more privs than they expect!
> 
> 	-Kevin
> 
> --- auth2.c.orig        Thu Jan 11 17:23:48 2001
> +++ auth2.c     Thu Jan 11 17:24:06 2001
> @@ -129,8 +129,12 @@
>         x_authctxt = authctxt;          /*XXX*/
>  
> -#ifdef KRB4
> -        /* turn off kerberos, not supported by SSH2 */
> -        options.kerberos_authentication = 0;
> -#endif
> +#ifdef AFS
> +        /* If machine has AFS, set process authentication group. */
> +        if (k_hasafs()) {
> +                k_setpag();
> +                k_unlog();
> +        }
> +#endif /* AFS */
> +
>          dispatch_init(&protocol_error);
>          dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
> 
> 

I've already reported exaclty this fix a couple of months, but noone
seemed to understand, or care.

This fix is correct, someone should commit it.

-- 
--- Hans Insulander <hin at stacken.kth.se>, SM0UTY -----------------------
Gravity never looses. The best you can hope for is a draw.





More information about the openssh-unix-dev mailing list