Some GSSAPI/Kerberos Questions
sxw at inf.ed.ac.uk
sxw at inf.ed.ac.uk
Tue Feb 10 10:24:44 EST 2004
On Mon, 9 Feb 2004, Phil Dibowitz wrote:
> But, erm, the announcement says, "This release contains some GSSAPI
> user authentication support to replace legacy KerberosV authentication
> support. At present this code is still considered experimental and
> SHOULD NOT BE USED."
The code drop of GSSAPI support into OpenSSH coincided with major
revisions to the Internet-Draft on which it was based. These revisions
were to address concerns about the lack of linking between the
GSSAPI context and OpenSSH's session identifiers. These concerns
applied equally to the Kerberos V code which was in early versions of
OpenSSH. The GSSAPI code in 3.7.1 is based on the pre-revision protocol.
CVS has an implementation of the newest I-D, which overcomes
these issues.
It should be noted that implementations based on the earlier I-Ds are
_not_ compatible with those using the newest ones. If you can wait, wait
for the 3.7.2 codebase.
> For those who have used the GSSAPI stuf in 3.7.1 - have you found it
> stable?
I've been distributing patches implementing GSSAPI support for several
years now, and they're fairly widely deployed. Unfortunately I don't
believe they can be considered 'stable' until the I-D upon which they're
based makes it through to an RFC.
If you want to try out the code in 3.7.1 (and I'd really recommend waiting
for 3.7.2 for production use), you need to turn on 'GSSAPIAuthentication'
in both the client and the server.
Cheers,
Simon.
More information about the openssh-unix-dev
mailing list