[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

kerberos support in ssh/lsh


I'm quite new to this list and to kerberos, and I would need some

People have been asking me to add kerberos support to lsh, my
implementation of the ssh-2 protocol. Kerberos support can mean many
things, but the primary feature asked for is to let people use their
kerberos passwords when logging in to the server.

That's quite un-kerberish, but the idea is that the client sends the
password to the server (encrypted by the ssh transport protocol), the
server tries to get a kerberos ticket on the client's behalf, and if
that succeeds, the client is considered authorized. It's an extra plus
if the server stores the ticket in the user's credential cache just as
if the user had run kinit.

An implementation problem is that lshd is a single server; it doesn't
fork until it spaws a shell for a successfully logged in user. So it
can't use calls like krb5_get_kdc_cred that ultimately blocks when
waiting for a reply from the kdc. I can see at least three different

1. Hack some kind of asyncronous interface to heimdal. Ideally, I need
   something like

        <name, realm, passwd>  -->  <packet, sockaddr>

        <reply-packet>         -->  <success>

   lshd would call the first function to build a proper packet, and send
   it off. When it gets a reply, it calls the second function to
   determine whether or not the the password was correct.

2. fork() off an extra process, which duplicates most of the work done
   by kinit.

3. fork() and exec() the real kinit program. To do this, the interface
   to kinit which need minor changes. First, it would need an option
   to read the password from stdin (or from some other fd). Secondly,
   one would have to make sure that kinit never exits successfully
   unless it actually did get a ticket.

I'll appreciate any advice. I'd also like to know if there is any docs
that can help me get started with kerberos. I have had a quick look at
the description in Applied Cryptography, and RFC 1510. I'll also have
to read the heimdal texinfo manual (the previous time I looked at
heimdal, the only docs I could find was bsd-style man-pages which my
man program didn't understand).

Suggestions on how to support kerberos the Right Way (i.e. have the
client transmit a kerbetros ticket rather than a password) would also
be nice, although it seems less urgent to implement.

Best regards,