Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch

[James F.Hranicky]

On Wed, 14 May 2003 15:24:49 -0500
"Douglas E. Engert" <deengert at anl.gov> wrote:

> Rather then adding Kerberos password support directly into OpenSSH, I would 
> recommend  that you use GSSAPI support from Simon Wilkinson <simon at sxw.org.uk> 
> http://www.sxw.org.uk/computing/patches/openssh.html
> 
> If you must send the kerberos userid and password over the network then use 
> the PAM exits to authenticate to Kerberos. In other words avoid adding Kerberos
> directly into OpenSSH.

<shrug> Well, it was there to begin with, I just "made it better" :->

> Simon's excellent GSSPAI code is following along closely with the IETF
> "GSSAPI Authentication and Key Exchange for the Secure Shell Protocol" 
> http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-06.txt

I know about the GSSAPI patch, but in my transition to using Kerberos for
authentication to my systems, I'm not going to require everyone use
GSSAPI for access to my network, at least not for a while.

Honestly, I'm hesitant to require it ever until I can do away with remote
password authentication (i.e., require GSSAPI/Kerb auth) for all network access 
to my systems, as it simply (IMHO) makes network access more confusing when
there are two methods to authenticate to my systems depending on the client.

Then there's the difficulty of getting all of my remote users to get
GSSAPI-enabled apps for all their access, a problem that AFAICT simply
hasn't been solved in the Kerberos world.

Until it is, I'm hesitant to even announce it to my users to avoid confusion.
You can see more of my ranting on the Kerberos list/newsgroup :->

> So I would like to ask the OpenSSH developers to pick up Simon's GSSAPI
> modifications instead. 

Well, must we pick one or the other? Could both not exist in the same sshd
binary?

> The GSSAPI has been implemented by a number of other vendor's as well,
> so having this in OpenSSH would greatly enhance interoperability. 
> 
> We have are now with Simon's mods on 3.6.1p2  and have run with way since 
> 3.0.2 on a number of platforms. We use Unix and Windows based ssh clients 
> to connect to the servers running OpenSSH. I am sure there are many others 
> sites doing the same thing and all of us would appreciate it if GSSAPI mods 
> where included in the base OpenSSH source. 

I second the call to add the GSSAPI support into OpenSSH as well. My plan
is to eventually include both my patch and the GSSAPI patch into my openssh
servers.

Again, I'm not sure that one must pick one or the other. If the developers think
so, I'll maintain my patch locally. Either way.

Jim