privsep+kerb5+ssh1
Jan IVEN
jan.iven at cern.ch
Thu Aug 1 01:55:17 EST 2002
>>>>> "MF" == Markus Friedl <markus at openbsd.org> writes:
MF> please test Olaf Kirch's patch. it looks fine to me, but i don't to K5.
MF> i'd like to see this in the next release. thx
For what its worth, a similar patch for KRB4+5 is appended to
http://bugzilla.mindrot.org/show_bug.cgi?id=324 -- and I cannot test
the KRB5 part either (therefore neither Olaf's version). KRB4 seems to
work.
I still have some more patches related to KRB4/AFS/SSH1, and would be most
happy to get rid of them. They deal with:
* mkstemp() on RH7.2 (and above, based on glibc-2.2) being very
restrictive, breaking KRB4 TGT passing. Moving to the XXXXXX format
seems to cause trouble because the same ticket file is being
re-used. The patch adds a check for autoconf to use the bsd_compat
mkstemp(). http://bugzilla.mindrot.org/show_bug.cgi?id=44
* KRB4-TGT forwarding overwrites credentials (AFS token, KRB4 TGT)
from a successful password auth. This tends to confuse users.. "-k"
is a workaround, but was not neccessary pre-3.0. The patch disables
credential forwarding on the server after password auth succeeded.
* an extended version of the KRB4/5+PRIVSEP patch above that enables
"early" KRB4/AFS credential forwarding (as done by older/non-OpenSSH
clients). These credentials now get stored and will be used after
successful authentication.
Unrelated, but useful:
* make ssh/sshd handle unknown configuration options non-fatally --
~/.ssh/config files on AFS tend to be used by multiple versions of
ssh clients, and barfing because the new version does not like old
options is unfriendly. For the sshd, the problem is less acute due
to "-t", but it still prevents us from screwing with other admin's
config files...
All of them are against 3.4p1, but I would be willing to port them
forward to something more recent if this would get them accepted...
Regards
Jan
More information about the openssh-unix-dev
mailing list