Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch

Booker Bense bbense at SLAC.Stanford.EDU
Tue May 20 00:52:13 EST 2003

On Fri, 16 May 2003, Theo de Raadt wrote:

> We have a very rational answer to the GSSAPI issue.
> The code is too large.  Large blocks of code contain more errors.
> OpenSSH strives to be more secure for everyone, and not risk their
> security for a gigantic piece of functionality that less than < 0.001%
> of the user community wants.
> I think this mail from me is being as nice as possible considering
> this constant bullshit that arrives in my mailbox about this; if this
> continued spew of rude mail from GSSAPI proponents keeps coming to the
> OpenSSH group, you might prepare for having even more Kerberos
> components being ripped out.  Adjust your attitude.  You may not talk
> to us like that.

- If you've been offended, my apologies. I'm just trying to
convey what I believe to be a fundamental technical error.

- Frankly, I would much prefer that you not provide any kerberos
support if you aren't going to implement the protocol correctly.

There are two issues here.

1. Adding the GSSAPI patches.

2. Adding the kerberos-2 at code to the default

- Clearly, your answer to the first is "never in a useful form".

More information about the openssh-unix-dev mailing list