Using Kerberos5 in 3.3p1

Hans Insulander hin at stacken.kth.se
Thu Jun 27 05:43:05 EST 2002


Simon Wilkinson <sxw at dcs.ed.ac.uk> writes:

> On Wed, 26 Jun 2002, Daniel Kouril wrote:
> 
> > I'm not able to get Kerberos5 authenticarion work together with PrivSep.
> > According to strace, it seems that the kerberos authentication stage is
> > performed by the user process in chrooted enviroment. The problem is that
> > Kerberos authentication must be done by root. Is anybody working on a fix?
> > (or am I missing something in configuration?)
> 
> No - I think that's correct. I'm working on getting my GSSAPI patches
> going with PrivSep - I think I'm nearly there. I haven't looked in depth
> at the protocol 1 krb5 stuff.

As far as i can tell, it does not work at the moment. And people seem to
have elected me as a volunteer to fix this... However, my time is pretty
limited right now, and i'm not an ssh hacker, so if someone wants to help
me out with this i'd really appreciate it.

What needs to be done, afaik, is to receive the kerberos auth data in the
unprivileged client process, marshal it and send over to the monitor process.
The monitor should validate the information and say "ok" or "not ok" back to
the client. I have very little clues as how to do that.

-- 
--- Hans Insulander <hin at stacken.kth.se>, SM0UTY -----------------------
Gravity never looses. The best you can hope for is a draw.



More information about the openssh-unix-dev mailing list