Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch

Damien Miller djm at mindrot.org
Thu May 15 10:06:10 EST 2003


Douglas E. Engert wrote:

> Simon's excellent GSSPAI code is following along closely
> with the IETF "GSSAPI Authentication and Key Exchange for
> the Secure Shell Protocol"
> http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-06.txt
>
> So I would like to ask the OpenSSH developers to pick up Simon's
> GSSAPI modifications instead.

The changes to the server to support kerberos-2 at ssh.com are about 30
lines of new code in two files.

Simon's code: 36 files changed, 3321 insertions(+), 9 deletions(-)

Please consider:

 a) kerberos-2 at ssh.com can coexist with Simon's code, should it be
    merged at some future time;

 b) Simon's code consititutes two orders of magnitude more change
    than what Markus committed;

 c) not all the developers are familiar with Kerberos and GSSAPI;

 d) Simon's code is still going through the IETF process, whereas
    SSH.COM's is very minimal (basically a cleanup of the protocol 1
    Kerberos support) and therefore less likely to change;

 e) being volunteers, our time is limited; and

 f) security problems have been caused in the past by large merges


-d






More information about the openssh-unix-dev mailing list