From owner-freebsd-hackers  Tue Aug 28 16:57: 5 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from mail.gnf.org (firewall.gnf.org [208.44.31.34])
	by hub.freebsd.org (Postfix) with ESMTP id 54B1437B403
	for <hackers@freebsd.org>; Tue, 28 Aug 2001 16:57:03 -0700 (PDT)
	(envelope-from gordont@gnf.org)
Received: by mail.gnf.org (Postfix, from userid 888)
	id 14C2E11E509; Tue, 28 Aug 2001 16:56:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by mail.gnf.org (Postfix) with ESMTP id 1026511A56A
	for <hackers@freebsd.org>; Tue, 28 Aug 2001 16:56:06 -0700 (PDT)
Date: Tue, 28 Aug 2001 16:56:06 -0700 (PDT)
From: Gordon Tetlow <gordont@gnf.org>
To: <hackers@freebsd.org>
Subject: OpenSSH + Kerberos 5 + PAM
Message-ID: <Pine.LNX.4.33.0108281642230.30888-100000@smtp.gnf.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

I like Kerberos 5 and it's ability to use tickets so I don't have to type
passwords whenever I login/su/need to authenticate myself. So it *really*
annoys me that there is a pam_krb5 module that allows you to authenticate
against a Kerberos 5 principal but it won't accept any tickets that I try
to pass to it. I've done a bit of research on the matter and am told that
it is a limitation of the PAM API. So be it.

I suppose I can install kerberos' version of telnet/ftp/rsh/rlogin/etc,
but again, I'm lazy (I *am* a system administrator). I was thinking that
it would be nice to have Kerberos 5 authentication available in OpenSSH
since that comes with the distribution and is even enabled by default.

So, being lazy, I decided to trawl the net seeing if I could find anyone
that has already done the work. Bingo!
http://www.sxw.org.uk/computing/patches/openssh.html The author claims
that it works with both KTH and MIT Kerberos 5 implementations (I've tried
it on MIT and it works like a charm). I was wondering if there was any
interest in integrating this, or if it is considered too large a patch. If
there is interest, I would be willing to do the legwork to try and
integrate it (although there is probably lots of cases to deal with).

-gordon


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message