Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch

Booker Bense bbense at SLAC.Stanford.EDU
Fri May 16 07:42:06 EST 2003 

On Thu, 15 May 2003, James F.Hranicky wrote:

> On Thu, 15 May 2003 10:44:33 -0700 (PDT)
> Booker Bense <bbense at SLAC.Stanford.EDU> wrote:
>
> > - No one is arguing that the krb5 API is should be used.
> > THAT'S WHY THE GSSAPI standard was created, if you listen to
> > anybody involved in the kerberos world they will tell you that
> > applications should be using GSSAPI not the krb5 API's. We
> > already know they are broken, that's why we're telling you
> > not to use them.
>
> Do you have any links on the superiority of GSSAPI over native Krb5? A
> half-hearted google search didn't turn up anything obvious (to me :->).

- Superiority is probably the wrong word to use. GSSAPI was
designed by committee after all. GSSAPI's main advantages are

1. It's an industry standard with several competing
   implementations. It's used successfully in many
   protocols (i.e. anything that uses SASL...).

2. It's designed to be forward compatible with new security
   protocols. If used correctly, you only have to write the
   application once.

3. If you write GSSAPI code there is some chance it will be
   supportable on W2K's native SSPI API. Straight krb5 code
   will always require a 3rd party library on W2K.

- There are some drawbacks to GSSAPI as well. It doesn't handle
  getting initial credentials, it's complex and there's no
  structure for negotiating authentication methods.

- The problem with the krb5 API is actually that it's
under-engineered and there is not the appropriate level of
API for dealing with 3rd party protocols. The krb5sendauth
and krb5recvauth pretty much do the right thing, but do
require that you pass in a raw socket. The 'raw' krb5_mk_req,
krb5_rd_req calls don't fully implement the protocol, there's
a bunch of non-obvious stuff you need to hand code to do the
mutual authentication.

The "right" thing to do would be to abstract out the I/O layer
and just let the security layer get on with it's business.
This is pretty much what GSSAPI does.

- Booker C. Bense

More information about the openssh-unix-dev mailing list