Kerberos Support in OpenSSH

Joel N. Weber II openssh-dev at joelweber.com
Wed Jul 2 05:26:28 EST 2003 

> Is the question only about the security of Stephen's patch?
>
> Or is it also a question of OpenSSH relying on a GSSAPI and either a 
> Kerberos or X.509 implementation which has not been audited by the 
> OpenSSH/OpenBSD developers?

That's a good question, which has not been answered.

However, www.openbsd.org/crypto.html indicates that OpenBSD already
ships Heimdal, so a reasonable educated guess may be that Heimdal has
already been sufficiently audited by the OpenBSD folks.

> I believe the offer from MIT was that the Kerberos Core Developers would 
> audit Stephen's patches and ensure that the usage of the Kerberos API 
> was not introducing any security bugs.  The concern MIT and much of the 
> rest of the Kerberos community has with the ssh.com and SSHv1 Kerberos 
> solutions is that the improper use of the Kerberos protocols leave the 
> door open for potential attacks.  As we are all aware, secure code 
> requires more than just making sure there are no buffer overrun errors.

Well, most of us are aware of this, anyway.

If the offer from MIT was *only* about the GSSAPI usage and not about
verifying that there are no buffer overflows in parts of the code that
aren't calls to GSSAPI, then it probably doesn't cover all of the
concerns of the openssh developers.

> Of course, it is the GSSAPI-KerberosV Key Exchange which is of most 
> interest to the Kerberos community.

Yes.  (I'm a little unclear on why I might ever care about the
``gssapi'' userauth method, given the desire to use Kerberos to
prevent man in the middle attacks.)  However, given that Markus has
asked to start with just the gssapi userauth, it sounds like that's
the thing to do; and once the openssh folks have a chance to start to
familiarize themselves with GSSAPI, and everyone works out a process
that works for integrating GSSAPI code into openssh after sufficient
auditing etc, I bet the rest can go more smoothly.

I certainly do hope that all of the functionality of sxw's patch will
end up in the openssh distribution eventually.

More information about the openssh-unix-dev mailing list