Re: OpenSSH + Kerberos 5 + PAM

Wed, 29 Aug 2001 21:09:53 -0700 

David Terrell wrote:

> On Tue, Aug 28, 2001 at 04:56:06PM -0700, Gordon Tetlow wrote:
> 
>>I like Kerberos 5 and it's ability to use tickets so I don't have to type
>>passwords whenever I login/su/need to authenticate myself. So it *really*
>>annoys me that there is a pam_krb5 module that allows you to authenticate
>>against a Kerberos 5 principal but it won't accept any tickets that I try
>>to pass to it. I've done a bit of research on the matter and am told that
>>it is a limitation of the PAM API. So be it.
>>
>>I suppose I can install kerberos' version of telnet/ftp/rsh/rlogin/etc,
>>but again, I'm lazy (I *am* a system administrator). I was thinking that
>>it would be nice to have Kerberos 5 authentication available in OpenSSH
>>since that comes with the distribution and is even enabled by default.
>>
>>So, being lazy, I decided to trawl the net seeing if I could find anyone
>>that has already done the work. Bingo!
>>http://www.sxw.org.uk/computing/patches/openssh.html The author claims
>>that it works with both KTH and MIT Kerberos 5 implementations (I've tried
>>it on MIT and it works like a charm). I was wondering if there was any
>>interest in integrating this, or if it is considered too large a patch. If
>>there is interest, I would be willing to do the legwork to try and
>>integrate it (although there is probably lots of cases to deal with).
>>
> 
> Patches have been circulated on openssh-unix-dev to apply kerb5 to
> the upstream OpenBSD source.  In fact, krb5 support is in protocol 1 
> in the OpenBSD tree now, and I'd speculate that protocol 2 support
> will be in by the time 3.0 ships in December, since OpenBSD 3.0 will
> ship with Kerb5 (Heimdal) in the base.


I'm not that current on krb5, but I do have to ask if the CERT issues have been 
resolved?  My info on this is a little old, but I 
recall CERT advisories last year on serious vulnerabilities in krb5 at the time, it 
would be nice to know if they have been fixed.


jim
-- 
ET has one helluva sense of humor!
He's always anal-probing right-wing schizos!


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message

Reply via email to