Possible security flaw in OpenSSH and/or pam_krb5

Stephen Frost sfrost at snowman.net
Fri Jun 17 22:27:40 EST 2005


* Damien Miller (djm at mindrot.org) wrote:
> We do get PAM, we just don't feel the need to rewrite our application to
> cope with its terrible interface. What we have works with the vast
> majority of PAM modules and the module that does regularly cause
> problems (pam_krb5) replicates functionality largely integrated into
> OpenSSH anyway.

This caught me slightly off-guard so I'd like to just double-check...
As far as I'm aware it's not possible to duplicate what pam_krb5 does
(takes a password, gets a TGT and a host/<fqdn> for the user and dumps
it into their KRB5CCACHE) with OpenSSH today.

Thinking about it, I don't see any particular reason why that *couldn't*
be coded into sshd, and it would nicely get around the problems pam_krb5
and ssh have today.  I expect there would need to be an option to
enable/disable it since I'm sure some people have setups similar to me
(one machine allows passworded logins, everything else demands
Kerberos).

Am I wrong in my assumption that OpenSSH hasn't got such an option
today, and if not, is this an indication that the OpenSSH team would be
willing to consider a patch to add that functionality directly to
OpenSSH?  Anyone else interested in this besides me?  Personally I'm not
exactly a big fan of the seemingly often interaction problems between
OpenSSH and pam_krb5 and this might resolve the problems once and for
all...

	Many thanks,

		Stephen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050617/7b5543f5/attachment.bin 


More information about the openssh-unix-dev mailing list