From owner-freebsd-hackers Wed Aug 29 21:37:25 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from smtp018.mail.yahoo.com (smtp018.mail.yahoo.com [216.136.174.115]) by hub.freebsd.org (Postfix) with SMTP id 1373137B403 for ; Wed, 29 Aug 2001 21:37:22 -0700 (PDT) (envelope-from kc5vdj@yahoo.com) Received: from mkc-65-28-47-209.kc.rr.com (HELO yahoo.com) (65.28.47.209) by smtp.mail.vip.sc5.yahoo.com with SMTP; 30 Aug 2001 04:37:21 -0000 X-Apparently-From: Message-ID: <3B8DC2FE.4030002@yahoo.com> Date: Wed, 29 Aug 2001 23:37:18 -0500 From: Jim Bryant Reply-To: kc5vdj@yahoo.com User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1 X-Accept-Language: en-us MIME-Version: 1.0 To: David Terrell Cc: Gordon Tetlow , hackers@freebsd.org Subject: Re: OpenSSH + Kerberos 5 + PAM References: <20010829175637.H20868@pianosa.catch22.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG David Terrell wrote: > On Tue, Aug 28, 2001 at 04:56:06PM -0700, Gordon Tetlow wrote: > >>I like Kerberos 5 and it's ability to use tickets so I don't have to type >>passwords whenever I login/su/need to authenticate myself. So it *really* >>annoys me that there is a pam_krb5 module that allows you to authenticate >>against a Kerberos 5 principal but it won't accept any tickets that I try >>to pass to it. I've done a bit of research on the matter and am told that >>it is a limitation of the PAM API. So be it. >> >>I suppose I can install kerberos' version of telnet/ftp/rsh/rlogin/etc, >>but again, I'm lazy (I *am* a system administrator). I was thinking that >>it would be nice to have Kerberos 5 authentication available in OpenSSH >>since that comes with the distribution and is even enabled by default. >> >>So, being lazy, I decided to trawl the net seeing if I could find anyone >>that has already done the work. Bingo! >>http://www.sxw.org.uk/computing/patches/openssh.html The author claims >>that it works with both KTH and MIT Kerberos 5 implementations (I've tried >>it on MIT and it works like a charm). I was wondering if there was any >>interest in integrating this, or if it is considered too large a patch. If >>there is interest, I would be willing to do the legwork to try and >>integrate it (although there is probably lots of cases to deal with). >> > > Patches have been circulated on openssh-unix-dev to apply kerb5 to > the upstream OpenBSD source. In fact, krb5 support is in protocol 1 > in the OpenBSD tree now, and I'd speculate that protocol 2 support > will be in by the time 3.0 ships in December, since OpenBSD 3.0 will > ship with Kerb5 (Heimdal) in the base. I'm not that current on krb5, but I do have to ask if the CERT issues have been resolved? My info on this is a little old, but I recall CERT advisories last year on serious vulnerabilities in krb5 at the time, it would be nice to know if they have been fixed. jim -- ET has one helluva sense of humor! He's always anal-probing right-wing schizos! _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message