Message: 5 Date: Tue, 30 Sep 2003 14:30:02 +0200 (CEST) From: =?iso-8859-2?Q?Martin_MOKREJ=A9?= <[EMAIL PROTECTED]> To: Jeffrey Hutzelman <[EMAIL PROTECTED]> Cc: Harald Barth <[EMAIL PROTECTED]>, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [OpenAFS-devel] OpenSSH support for krb4/afs
On Thu, 4 Sep 2003, Jeffrey Hutzelman wrote:
On Thursday, September 04, 2003 16:59:56 +0200 Harald Barth <[EMAIL PROTECTED]> wrote:
> >> is there anyone who would help the OpenSSH guys to include >> back the krb4 support? As they did not know how to fix problems, >> they rather removed the support as a whole. :(( > > I think krb5 and AFS (with 2b) gives me everything I would need. Any > reason to keep v4? > > What is the status of v5 ticket forwarding in ssh today?
There is a standards-track extension to the SSHv2 protocol which adds GSSAPI-based user authentication, including credential delegation for those mechanisms which support it (such as GSS-KRB5). It has been implemented in a variety of SSH clients and servers; there are patches available for OpenSSH 3.x, and I believe the new method will be included in the upcoming OpenSSH 3.7 release.
Hi, I'd like to note that even 3.7.1p1 does not suppport krb5(the GSSAPI is undef in config.h regardless what configure options you use). Darren Tucker <[EMAIL PROTECTED]> wrote me that he'd love to accept patches for that. It mighhappen that if someone helps, they would release 3.6.1p3 which contains the old krb4 code with security fixes backported. For the 3.7 branch, someone from you has to convince Theo de Raadt to put the krb4 back ... :) I just don't get why ssh support .rhosts and why in comparison krb4 is considered insecure.
I've successfully tested GSSAPI with 3.7.1p1 on Solaris 8 with MIT Kerberos 1.3.1 installed. The configure option for GSSAPI re-uses the old krb5 configure option, but the ssh[d]_config files use new directives to enable the capability. You also need a "host" principal in your keytab file or sshd will disable the capability.
The test was only from the machine to itself since I haven't been able to make it build with Heimdal on the other machine yet. From what the author told me there are probably lots of compatibility issues with the built-in GSSAPI as well.
sshd didn't create a new session to distinguish the ccache of the loopback session from the original. (Think "PAG's not implemented".)
In other words it exists; it works; but it needs some more work.
If you have a Kerberos 5 cell and aren't using Heimdal then you can use afslog (from KTH/Heimdal) or aklog to get an afs token from the forwarded tgt.
--
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[EMAIL PROTECTED], or [EMAIL PROTECTED]
_______________________________________________
OpenAFS-devel mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-devel
