Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch
Douglas E. Engert
deengert at anl.gov
Fri May 16 02:14:37 EST 2003
Markus Friedl wrote:
>
> To me simplicity of the server code is currently more important.
>
> The "kerberos-2" changes add _no_ new code that's executed by the
> privileged part of sshd and only about 30 lines for the unprivileged
> half of sshd.
Really? But isn't that the point of privsep to do those critical
security checks in the privileged half? If all the kerberos authentication
is done in the unprivileged part, breaking into this process could lead
to the authenetion being bypassed. It would seam that you would have to
access the host keytab file from the privileged part at least, as it is
normally owned by root. Or was this code already in the source.
>
> -markus
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the openssh-unix-dev
mailing list