Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch

Ben Lindstrom mouring at etoh.eviladmin.org
Fri May 16 02:24:19 EST 2003


My take on this whole bit.

On Thu, 15 May 2003, Booker Bense wrote:

> On Thu, 15 May 2003, Damien Miller wrote:
>
[..]
> >  e) being volunteers, our time is limited; and
>
> - Simon's code has been in use for years, looked at by
> experts in the field and is generally considered the
> "Right way to do this". Since your time is limited why
> not take advantage of all the work that has been done
> and gone through peer review, rather that a half hour
> hack?
>

Because in the end we are held accountable.  Not Simon, not
you and not IETF.

And simple straightforward solutions are easier to understand
and audit then complex ones.

> - There are lot's of people that would gladly work on
> this code. In general, most people in the kerberos world
> would like to drop support for telnet and krsh and move
> to a standard ssh code, but we cannot do this with the
> current SSH code base and nobody wants to deal with
> the broken ssh1 implementation.
>

Not to degrade Simon's work.  I know he has spent a lot of time, but
I have to agree with Markus and others that large patches always seem
to bite us in the ass.  No matter how good intention they are.

> >
> >  f) security problems have been caused in the past by large merges
> >
>
> - Kerberos security problems are almost always caused by
> incorrect use of the API. For good or ill, the straightforward
> approach is almost wrong, this is the reason that kerberos
> communtity is trying to encourage people to use GSSAPI
> ( an IETF standard ) rather than the adhoc native k5 API.
>

You know what this tells me.  Someone is overdoing the Kerberos
API.  Not be able to use the 'straightfoward approach' shows
*BAD* design on their part.  You'd think people would have
learned this by now.

Granted, Krb is not the only people with that problem either.  After
privsep came into existances the amount of hoops we've had to jump
through to get sane security on some platform (mostly failing on
a few.. IE Tru64) is just nuts.

- Ben




More information about the openssh-unix-dev mailing list