Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch

Simon Wilkinson sxw at inf.ed.ac.uk
Thu May 15 23:50:23 EST 2003


> The changes to the server to support kerberos-2 at ssh.com are about 30
> lines of new code in two files.
>
> Simon's code: 36 files changed, 3321 insertions(+), 9 deletions(-)

I take your point that the GSSAPI code is more complex, but you're not
really comparing like with like.

*) GSSAPI contains support for authentication at both key exchange and
   userauth levels
*) The code supports multiple different authentication methods at the
   client end, and two (Kerberos and GSI) at the server side.
*) Credentials forwarding is supported for both Kerberos and GSI
*) Initial support for determining local username, based on the presented
   credentials, is present for both Kerberos and GSI
*) Support for operating without host keys is present

You could write a GSSAPI implementation which just does Kerberos, and
which just does authentication and not credential passing, but it would be
kind of missing the point.

>  c) not all the developers are familiar with Kerberos and GSSAPI;

So why not take patches which have already been reviewed by those that
are? The GSSAPI patches have been examined by people working regularly
with both MIT Kerberos, the Globus GSI implementation, and Heimdal. The
consensus amongst the Kerberos community seems to be that the kerberos-2
method is the wrong direction to be going in.

>  d) Simon's code is still going through the IETF process, whereas
>     SSH.COM's is very minimal (basically a cleanup of the protocol 1
>     Kerberos support) and therefore less likely to change;

If only because the kerberos-2 mechanism was rejected by the IETF secsh
working group at their San Diego meeting in favour of the GSSAPI work.

>  f) security problems have been caused in the past by large merges

And by implementations of poorly thought out and buggy Kerberos
based protocols. There's common acceptance that the Kerberos API is hard
to use correctly. Many application problems have been caused by improper
use of that API. For example, in the current kerberos-2 code, no mutual
authentication of the server is performed at the kerberos layer.

Cheers,

Simon.





More information about the openssh-unix-dev mailing list