Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch

Douglas E. Engert deengert at
Fri May 16 02:14:37 EST 2003

Markus Friedl wrote:
> To me simplicity of the server code is currently more important.
> The "kerberos-2" changes add _no_ new code that's executed by the
> privileged part of sshd and only about 30 lines for the unprivileged
> half of sshd.

Really? But isn't that the point of privsep to do those critical
security checks in the privileged half? If all the kerberos authentication
is done in the unprivileged part, breaking into this process could lead
to the authenetion being bypassed. It would seam that you would have to
access the host keytab file from the privileged part at least, as it is
normally owned by root. Or was this code already in the source.

> -markus
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the openssh-unix-dev mailing list