Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch

Douglas E. Engert deengert at anl.gov
Thu May 15 06:24:49 EST 2003


Rather then adding Kerberos password support directly into OpenSSH, I would 
recommend  that you use GSSAPI support from Simon Wilkinson <simon at sxw.org.uk> 
http://www.sxw.org.uk/computing/patches/openssh.html

If you must send the kerberos userid and password over the network then use 
the PAM exits to authenticate to Kerberos. In other words avoid adding Kerberos
directly into OpenSSH.

Simon's excellent GSSPAI code is following along closely with the IETF
"GSSAPI Authentication and Key Exchange for the Secure Shell Protocol" 
http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-06.txt

So I would like to ask the OpenSSH developers to pick up Simon's GSSAPI
modifications instead. 

The GSSAPI has been implemented by a number of other vendor's as well,
so having this in OpenSSH would greatly enhance interoperability. 

We have are now with Simon's mods on 3.6.1p2  and have run with way since 
3.0.2 on a number of platforms. We use Unix and Windows based ssh clients 
to connect to the servers running OpenSSH. I am sure there are many others 
sites doing the same thing and all of us would appreciate it if GSSAPI mods 
where included in the base OpenSSH source. 

"James F.Hranicky" wrote:
> 
> Is anyone interested in the patch I submitted to this list adding keyboard
> interactive Kerberos support (i.e., should I submit a bugzilla report)?
> 
> If not, I can ust maintain it locally.
> 
> Thanks,
> 
> ----------------------------------------------------------------------
> | Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
> | E314D CSE Building                            Phone (352) 392-1499 |
> | jfh at cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |
> ----------------------------------------------------------------------
>                           About politics:
>                      Don't worry about results
>                    It's the thought that counts
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444




More information about the openssh-unix-dev mailing list