Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdintpatch

Douglas E. Engert deengert at
Fri May 16 02:01:59 EST 2003

All good points, but let me add some others below.
Damien Miller wrote:
> Douglas E. Engert wrote:
> > Simon's excellent GSSPAI code is following along closely with the IETF
> > "GSSAPI Authentication and Key Exchange for the Secure Shell Protocol"
> >
> >
> > So I would like to ask the OpenSSH developers to pick up Simon's GSSAPI
> > modifications instead.
> The changes to the server to support kerberos-2 at are about 30
> lines of new code in two files.
> Simon's code:
>  36 files changed, 3321 insertions(+), 9 deletions(-)
> Please consider:
>  a) kerberos-2 at can coexist with Simon's code, should it be
>     merged at some future time;
      Good, at least keep this in mind.

>  b) Simon's code consititutes two orders of magnitude more change
>     than what Markus committed;

   Simon's code changes have been being updated for every verision of 
   OpenSSH since at least 3.0.2. (You might want to take a poll as to 
   how many sites are using it.)
>  c) not all the developers are familiar with Kerberos and GSSAPI;

   There are other SSH products which are using the GSSAPI code,
   in particular some PC clients. We would like to see the OpenSSH 
   servers support this. Interoperability between implementations, is 
   very important. 

   GSSAPI is being used in other environments, such as SASL, and FTP.

   There are other GSSAPI implementations, other then Kerberos, such 
   as the Globus GSI which can use the same API interface.    

   The developers don't need to be very familiar with Kerberos, but rather 
   the API of the GSSAPI which has been a standard for years. And it is 
   an API.  

   There are multiple versions of Kerberos with different APIs. At least
   MIT and Hiemdal, and thier APIs do change from time to time.     

   One of the PC vendors, can even use the Microsoft SSPI which uses the
   same wire protocol as Kerberos GSSAPI, so you can run it without
   any MIT or Hiemdal code at all on the PC. 

>  d) Simon's code is still going through the IETF process, whereas
>     SSH.COM's is very minimal (basically a cleanup of the protocol 1
>     Kerberos support) and therefore less likely to change;
      It is very close to last call, and I expect it will happen very soon. 

>  e) being volunteers, our time is limited; and

      Me too. Simon's mods are already done. 
>  f) security problems have been caused in the past by large merges

   There may also be security questions about the SSH.COM kerberos mods.
   The way I understood it, the IETF secsh working group looked them over
   in the past and said no because of the problems, and went with the GSSAPI
   as all of the security issues are then contained in the GSS implementation. 
> -d


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the openssh-unix-dev mailing list