Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch

Markus Friedl markus at
Fri May 16 16:22:38 EST 2003

On Thu, May 15, 2003 at 12:19:09PM -0700, Booker Bense wrote:
> But
> the second IMHO is fatally flawed. You could argue that it's not
> neccessary given that the host is already authenticated via the
> TSL layer, but it's flaw that can be exploited. IMHO, checking
> the mutual authentication is a requirement when you also
> implement tgt forwarding.

So we should add code that's 100 times as large just to have an
additional way to authenticate a server that's already authenticated?

More information about the openssh-unix-dev mailing list