Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch

Booker Bense bbense at SLAC.Stanford.EDU
Fri May 16 03:44:33 EST 2003

On Thu, 15 May 2003, Ben Lindstrom wrote:

> My take on this whole bit.
> On Thu, 15 May 2003, Booker Bense wrote:
> > On Thu, 15 May 2003, Damien Miller wrote:
> >
> [..]
> > >  e) being volunteers, our time is limited; and
> >
> > - Simon's code has been in use for years, looked at by
> > experts in the field and is generally considered the
> > "Right way to do this". Since your time is limited why
> > not take advantage of all the work that has been done
> > and gone through peer review, rather that a half hour
> > hack?
> >
> Because in the end we are held accountable.  Not Simon, not
> you and not IETF.

- So you'd rather go with an implementation that has KNOWN flaws,
just because it's short?

> And simple straightforward solutions are easier to understand
> and audit then complex ones.
> > - There are lot's of people that would gladly work on
> > this code. In general, most people in the kerberos world
> > would like to drop support for telnet and krsh and move
> > to a standard ssh code, but we cannot do this with the
> > current SSH code base and nobody wants to deal with
> > the broken ssh1 implementation.
> >
> Not to degrade Simon's work.  I know he has spent a lot of time, but
> I have to agree with Markus and others that large patches always seem
> to bite us in the ass.  No matter how good intention they are.

- Then you are never going to support GSSAPI and you should just
say so and we can get on with our lives. If you're never going to
do the right thing at least don't do the wrong thing. You should
drop all support for kerberos. I'm perfectly fine with that, the
people that are interested can fork a project to continue Simon's
patches. Either do it right or don't do it.

> > >
> > >  f) security problems have been caused in the past by large merges
> > >
> >
> > - Kerberos security problems are almost always caused by
> > incorrect use of the API. For good or ill, the straightforward
> > approach is almost wrong, this is the reason that kerberos
> > communtity is trying to encourage people to use GSSAPI
> > ( an IETF standard ) rather than the adhoc native k5 API.
> >
> You know what this tells me.  Someone is overdoing the Kerberos
> API.  Not be able to use the 'straightfoward approach' shows
> *BAD* design on their part.  You'd think people would have
> learned this by now.

- No one is arguing that the krb5 API is should be used.
THAT'S WHY THE GSSAPI standard was created, if you listen to
anybody involved in the kerberos world they will tell you that
applications should be using GSSAPI not the krb5 API's. We
already know they are broken, that's why we're telling you
not to use them.

- Booker C. Bense

More information about the openssh-unix-dev mailing list