Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch

Frank Cusack fcusack at
Fri May 16 09:38:31 EST 2003

On Thu, May 15, 2003 at 10:06:10AM +1000, Damien Miller wrote:
>  a) kerberos-2 at can coexist with Simon's code, should it be
>     merged at some future time;
>  b) Simon's code consititutes two orders of magnitude more change
>     than what Markus committed;

Yet you just committed a large PAM change, probably broken (by your
own statement when you announced the commit).  I'd say the PAM change
is more severe than the GSSAPI change (maybe not in sheer LOC, but
certainly in scope).

You will probably want to argue that FreeBSD's been using it for some
time, but FreeBSD isn't really the reference PAM platform ...

>  c) not all the developers are familiar with Kerberos and GSSAPI;

Of course not.  Different developers work on different parts of the code.
Get some developers that ARE familiar with krb5 and GSSAPI.  To name two,
Nicolas Williams and Simon Wilkinson are certainly pretty capable.

>  d) Simon's code is still going through the IETF process, whereas
>     SSH.COM's is very minimal (basically a cleanup of the protocol 1
>     Kerberos support) and therefore less likely to change;

ssh itself is still going through IETF.  It's well known that kerberos-2
is broken; SSH.COM's code isn't even IN the IETF!  Even if GSSAPI changes,
it's not like you don't already have bunches of compability hacks in the
code.  SSH.COM's code, being proprietary, and having known broken bits,
is more likely to change IMHO.

>  e) being volunteers, our time is limited; and

See point (c).

>  f) security problems have been caused in the past by large merges

See point (b).


More information about the openssh-unix-dev mailing list