Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch
Damien Miller
djm at mindrot.org
Thu May 15 10:06:10 EST 2003
Douglas E. Engert wrote:
> Simon's excellent GSSPAI code is following along closely
> with the IETF "GSSAPI Authentication and Key Exchange for
> the Secure Shell Protocol"
> http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-06.txt
>
> So I would like to ask the OpenSSH developers to pick up Simon's
> GSSAPI modifications instead.
The changes to the server to support kerberos-2 at ssh.com are about 30
lines of new code in two files.
Simon's code: 36 files changed, 3321 insertions(+), 9 deletions(-)
Please consider:
a) kerberos-2 at ssh.com can coexist with Simon's code, should it be
merged at some future time;
b) Simon's code consititutes two orders of magnitude more change
than what Markus committed;
c) not all the developers are familiar with Kerberos and GSSAPI;
d) Simon's code is still going through the IETF process, whereas
SSH.COM's is very minimal (basically a cleanup of the protocol 1
Kerberos support) and therefore less likely to change;
e) being volunteers, our time is limited; and
f) security problems have been caused in the past by large merges
-d
More information about the openssh-unix-dev
mailing list