Kerberos 5 and OpenSSH 2.5.2p2

Simon Wilkinson sxw at dcs.ed.ac.uk
Tue Mar 27 11:33:35 EST 2001


> Are there any patches to enable Krb5 for OpenSSH? I'm trying to get a
> proof of concept done so I can eventually roll Krb5 and OpenSSH out as our
> primary AA infrastructure and I'm having a hard time of it. Can someone
> point me to info to help?

I've been doing quite a bit of work on this - 
see http://www.sxw.org.uk/computing/patches

I've got a patch now which implements Kerberos v5 in protocol v1 and GSSAPI
(which you can use with Kerberos as a mechanism) in protocol v2. The v1 code
is based on work originally done by Daniel Kouril.

The version 2 patch is based on two internet drafts, and seems to be
attracting little controversy.

The situation with the version 1 code is a little more complicated, as
it is not interoperable with ssh.com krb5. As I understand it from
watching the wire the ssh.com code implements Kerberos 5 support by
reusing the kerberos 4 message types, and message ordering.  This
means that the ssh.com code sends the TGT _before_ authenticating the
user (sequence is TGT,REQ,REP). In my patch we use different message
codes (allowing Kerberos 4 and 5 to coexist), and send the TGT only
if authentication succeeds (REQ,REP,TGT).

I've been talking to some folk about where we go from here, but its gone
fairly quiet of late. I guess the questions are:
1) Do we do it the ssh.com way?
2) Is sending the TGT first broken?
3) Do we want to try and handle both krb4 and krb5 support in the same
   binary.

I've got spare cycles to work on this at the moment - I don't know how
much longer they'll still be available (before I get dragged headlong into
the wonderful world of LDAP replication :-(

I'll be posting a "two diff" version of this patch tomorrow, with the GSSAPI
support split off from the KRB5 stuff, in the hope that they can be
progressed seperately.

Cheers,

Simon.







More information about the openssh-unix-dev mailing list