Date: Wed, 29 Aug 2001 23:37:18 -0500 From: Jim Bryant <kc5vdj@yahoo.com> To: David Terrell <dbt@meat.net> Cc: Gordon Tetlow <gordont@gnf.org>, hackers@freebsd.org Subject: Re: OpenSSH + Kerberos 5 + PAM Message-ID: <3B8DC2FE.4030002@yahoo.com> References: <Pine.LNX.4.33.0108281642230.30888-100000@smtp.gnf.org> <20010829175637.H20868@pianosa.catch22.org>
next in thread | previous in thread | raw e-mail | index | archive | help
David Terrell wrote: > On Tue, Aug 28, 2001 at 04:56:06PM -0700, Gordon Tetlow wrote: > >>I like Kerberos 5 and it's ability to use tickets so I don't have to type >>passwords whenever I login/su/need to authenticate myself. So it *really* >>annoys me that there is a pam_krb5 module that allows you to authenticate >>against a Kerberos 5 principal but it won't accept any tickets that I try >>to pass to it. I've done a bit of research on the matter and am told that >>it is a limitation of the PAM API. So be it. >> >>I suppose I can install kerberos' version of telnet/ftp/rsh/rlogin/etc, >>but again, I'm lazy (I *am* a system administrator). I was thinking that >>it would be nice to have Kerberos 5 authentication available in OpenSSH >>since that comes with the distribution and is even enabled by default. >> >>So, being lazy, I decided to trawl the net seeing if I could find anyone >>that has already done the work. Bingo! >>http://www.sxw.org.uk/computing/patches/openssh.html The author claims >>that it works with both KTH and MIT Kerberos 5 implementations (I've tried >>it on MIT and it works like a charm). I was wondering if there was any >>interest in integrating this, or if it is considered too large a patch. If >>there is interest, I would be willing to do the legwork to try and >>integrate it (although there is probably lots of cases to deal with). >> > > Patches have been circulated on openssh-unix-dev to apply kerb5 to > the upstream OpenBSD source. In fact, krb5 support is in protocol 1 > in the OpenBSD tree now, and I'd speculate that protocol 2 support > will be in by the time 3.0 ships in December, since OpenBSD 3.0 will > ship with Kerb5 (Heimdal) in the base. I'm not that current on krb5, but I do have to ask if the CERT issues have been resolved? My info on this is a little old, but I recall CERT advisories last year on serious vulnerabilities in krb5 at the time, it would be nice to know if they have been fixed. jim -- ET has one helluva sense of humor! He's always anal-probing right-wing schizos! _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B8DC2FE.4030002>