Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch

Simon Wilkinson sxw at inf.ed.ac.uk
Fri May 16 09:56:41 EST 2003


On Fri, 16 May 2003, Damien Miller wrote:

> Booker Bense wrote:
>
> >>>> Because in the end we are held accountable.  Not Simon, not
> >>>> you and not IETF.
> >>
> >> - So you'd rather go with an implementation that has KNOWN flaws,
> >> just because it's short?
>
> Well our lists have been strangely silent on these flaws, considering we
> have been using the same code for our protocol 1 KrbV auth for years.

I've seen assorted converstations about the issues with the Kerberos
support in ssh protocol 1 code over the years. They've also been mentioned
on various different mailing lists, including the ietf list.

For me, the major issue is that these problems aren't really
implementation flaws, but protocol ones. The ssh-1 protocol was deployed
flaws and all, and represented the only option for workable Kerberos
authentication in that protocol. With ssh version 2, there is the chance
to actually get it right. Carrying forward the known and documented flaws
in the v1 protocol to v2 seems like a missed opportunity.

Cheers,

Simon.




More information about the openssh-unix-dev mailing list