Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch
Markus Friedl
markus at openbsd.org
Fri May 16 13:09:18 EST 2003
On Thu, May 15, 2003 at 11:14:37AM -0500, Douglas E. Engert wrote:
>
>
> Markus Friedl wrote:
> >
> > To me simplicity of the server code is currently more important.
> >
> > The "kerberos-2" changes add _no_ new code that's executed by the
> > privileged part of sshd and only about 30 lines for the unprivileged
> > half of sshd.
>
> Really? But isn't that the point of privsep to do those critical
> security checks in the privileged half? If all the kerberos authentication
> is done in the unprivileged part, breaking into this process could lead
> to the authenetion being bypassed. It would seam that you would have to
> access the host keytab file from the privileged part at least, as it is
> normally owned by root. Or was this code already in the source.
the code is the same that's used for ssh1.
More information about the openssh-unix-dev
mailing list