From owner-freebsd-hackers  Wed Aug 29 17:56:52 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from pianosa.catch22.org (pianosa.catch22.org [64.81.48.19])
	by hub.freebsd.org (Postfix) with ESMTP id 2901137B401
	for <hackers@freebsd.org>; Wed, 29 Aug 2001 17:56:39 -0700 (PDT)
	(envelope-from dbt@meat.net)
Received: by pianosa.catch22.org (Postfix, from userid 1000)
	id 6813A1793; Wed, 29 Aug 2001 17:56:38 -0700 (PDT)
Date: Wed, 29 Aug 2001 17:56:38 -0700
From: David Terrell <dbt@meat.net>
To: Gordon Tetlow <gordont@gnf.org>
Cc: hackers@freebsd.org
Subject: Re: OpenSSH + Kerberos 5 + PAM
Message-ID: <20010829175637.H20868@pianosa.catch22.org>
Reply-To: David Terrell <dbt@meat.net>
References: <Pine.LNX.4.33.0108281642230.30888-100000@smtp.gnf.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <Pine.LNX.4.33.0108281642230.30888-100000@smtp.gnf.org>; from gordont@gnf.org on Tue, Aug 28, 2001 at 04:56:06PM -0700
X-Nethack: You feel like someone is making a pointless Nethack reference.--More--
X-Uptime: 5:53PM  up 39 days, 20:31, 36 users, load averages: 0.09, 0.17, 0.21
X-Baby: Theodore Marvin Wolpinsky Terrell born 183 days, 3 hours, 7 minutes, 14 seconds ago
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

On Tue, Aug 28, 2001 at 04:56:06PM -0700, Gordon Tetlow wrote:
> I like Kerberos 5 and it's ability to use tickets so I don't have to type
> passwords whenever I login/su/need to authenticate myself. So it *really*
> annoys me that there is a pam_krb5 module that allows you to authenticate
> against a Kerberos 5 principal but it won't accept any tickets that I try
> to pass to it. I've done a bit of research on the matter and am told that
> it is a limitation of the PAM API. So be it.
> 
> I suppose I can install kerberos' version of telnet/ftp/rsh/rlogin/etc,
> but again, I'm lazy (I *am* a system administrator). I was thinking that
> it would be nice to have Kerberos 5 authentication available in OpenSSH
> since that comes with the distribution and is even enabled by default.
> 
> So, being lazy, I decided to trawl the net seeing if I could find anyone
> that has already done the work. Bingo!
> http://www.sxw.org.uk/computing/patches/openssh.html The author claims
> that it works with both KTH and MIT Kerberos 5 implementations (I've tried
> it on MIT and it works like a charm). I was wondering if there was any
> interest in integrating this, or if it is considered too large a patch. If
> there is interest, I would be willing to do the legwork to try and
> integrate it (although there is probably lots of cases to deal with).

Patches have been circulated on openssh-unix-dev to apply kerb5 to
the upstream OpenBSD source.  In fact, krb5 support is in protocol 1 
in the OpenBSD tree now, and I'd speculate that protocol 2 support
will be in by the time 3.0 ships in December, since OpenBSD 3.0 will
ship with Kerb5 (Heimdal) in the base.

-- 
David Terrell             | "Any sufficiently advanced technology 
Prime Minister, Nebcorp   | is indistinguishable from a rigged demo."
dbt@meat.net              |  - Brian Swetland
http://wwn.nebcorp.com/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message