[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kerberos support in ssh/lsh

>>>>> "Niels" == Niels =?UNKNOWN?Q?M=F6ller?= <nisse@lysator.liu.se> writes:

    Niels> Brian May <bmay@csse.monash.edu.au> writes:
    >> So, please don't break a good authentication system by implementing a
    >> hacked version of the protocol.

    Niels> Well, some people (including people who ought to understand the
    Niels> drawbacks) wants this. I think it makes sense in some circumstances.

Well, I can't argue with that. But why they don't just use NIS or LDAP
to gain the same level of security is beyond me (I think these methods
are simpler to understand, too).

    >> (If you really wanted to, I think you could do this via PAM anyway).

    Niels> I couldn't do that. The interface of PAM is brain-damaged, and it is
    Niels> unusable for network authentication. (For an lsh-centric explanation
    Niels> why, see <URL: http://www.lysator.liu.se/~nisse/lsh/doc/NOTES>). I
    Niels> haven't looked at SASL.

I am afraid I am not convinced:

(i) true - PAM is only good for Password protection (this is why I
like the idea behind SASL), but that is all that you are trying to
implement anyway. Why reinvent the wheel?

(ii) not sure about this, but openssh seems to work fine with PAM...

(iii) again, this doesn't seem to be a problem for openssh.

However, I must confess, I have never tried to implement anything for
PAM. I could put you in touch with people who do understand it better,
if you desire.
Brian May <bmay@csse.monash.edu.au>