Curious about final KRB5/GSSAPI patch inclusion.

Simon Wilkinson sxw at dcs.ed.ac.uk
Wed May 22 00:39:28 EST 2002


On Tue, 21 May 2002 Nicolas.Williams at ubsw.com wrote:

> Unfortunately the GSS-API is not enough - some
> mechanism-specific APIs are needed to properly handle credentials and
> what not

In particular, there are problems with user authorization (the kuserok()
step), and with storing delegated credentials locally. Both of the two
supported GSSAPI mechanisms (Kerberos and GSI) handle these differently,
and Heimdal and MIT Kerberos even differ in their handling of credentials
storage. Gack.

The Grid folk have an extensions draft that handles the credential storage
issue, but doesn't address the authorization one (although Nico's
extension of authorized_keys could do so). The extensions draft also still
leaves somethings as "mechanism dependent"

I guess the upshot is that the OpenSSH GSSAPI code will still need some
knowledge of the underlying mechanism for some time to come. However,
it should be possible to make it work with an implementation supporting
multiple mechanisms, providing that portions of the underlying API are
exposed.

Cheers,

Simon.





More information about the openssh-unix-dev mailing list