Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch

Damien Miller djm at mindrot.org
Fri May 16 10:18:13 EST 2003


Simon Wilkinson wrote:
> On Fri, 16 May 2003, Damien Miller wrote:
>
>> Well our lists have been strangely silent on these flaws, considering we
>> have been using the same code for our protocol 1 KrbV auth for years.
> 
> I've seen assorted converstations about the issues with the Kerberos
> support in ssh protocol 1 code over the years. They've also been mentioned
> on various different mailing lists, including the ietf list.

Could you summarise these arguments here?

> For me, the major issue is that these problems aren't really
> implementation flaws, but protocol ones. The ssh-1 protocol was deployed
> flaws and all, and represented the only option for workable Kerberos
> authentication in that protocol. With ssh version 2, there is the chance
> to actually get it right. Carrying forward the known and documented flaws
> in the v1 protocol to v2 seems like a missed opportunity.

I think that refusing to add 30 lines of code to support a deployed
authentication mechanism (which will be completely orthogonal to
anything the IETF blesses) would be a missed opportunity.

If people dislike kerberos-2 at ssh.com support, they are free to disable it.

-d




More information about the openssh-unix-dev mailing list