Kerberos in OpenSsh 2.9.9p2
Simon Wilkinson
simon at sxw.org.uk
Thu Sep 27 20:11:28 EST 2001
On Thursday 27 September 2001 09:17, Hans Insulander wrote:
> Please get the MIT people, Heimdal people and the Kerberos community to
> define and implement a common API instead. Maintaining #ifdefs is a RPITA.
But easier in the short term :-)
I think that there are two issues. The first is functions that exist in both
the MIT code and the Heimdal code, but take different arguments. There are
also data structures with the same name, but different structures. This
obviously needs fixing.
The second is that Heimdal has a number of "helper" functions which MIT
Kerberos doesn't have - these perform the actions of a number of MIT library
calls in one handy function. It is possible to code without using these, and
instead use the MIT compatible calls.
In any case, I've now got a patch that compiles - it just requires further
testing.
There are some interesting bits in the code - for instance Kerberos
authentication appears to be only enabled if a Kerberos 4 srvtab is found
(servconf.c). I'm also concerned about the credentials cache handling.
It appears to create a file based credentials cache before the users
permission to access the system has been established. Is it not better to use
a memory cache whilst proving the users identity, and only copy the
credentials to disk once the krb5_kuserok checks have been satisfied?
Cheers,
Simon.
--
Simon Wilkinson <simon at sxw.org.uk> http://www.sxw.org.uk
"I love deadlines. I like the whooshing sound they make as they fly by. "
- Douglas Adams
More information about the openssh-unix-dev
mailing list