Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch

Markus Friedl markus at openbsd.org
Fri May 16 13:09:18 EST 2003


On Thu, May 15, 2003 at 11:14:37AM -0500, Douglas E. Engert wrote:
> 
> 
> Markus Friedl wrote:
> > 
> > To me simplicity of the server code is currently more important.
> > 
> > The "kerberos-2" changes add _no_ new code that's executed by the
> > privileged part of sshd and only about 30 lines for the unprivileged
> > half of sshd.
> 
> Really? But isn't that the point of privsep to do those critical
> security checks in the privileged half? If all the kerberos authentication
> is done in the unprivileged part, breaking into this process could lead
> to the authenetion being bypassed. It would seam that you would have to
> access the host keytab file from the privileged part at least, as it is
> normally owned by root. Or was this code already in the source.

the code is the same that's used for ssh1.




More information about the openssh-unix-dev mailing list