[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal and r* client programs

To: Tillman Hodgson <tillman@seekingfire.com>
Subject: Re: Heimdal and r* client programs
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Thu, 15 Aug 2002 13:34:15 -0500
CC: heimdal-discuss@sics.se
References: <20020813103903.A7957@seekingfire.com> <xofptwmekh6.fsf@blubb.pdc.kth.se> <20020813132300.A8064@seekingfire.com> <20020813134958.A8135@seekingfire.com> <20020813190036.C42791@got.wedgie.org> <20020814001038.L10073@seekingfire.com> <3D5A7831.46C9A252@anl.gov> <20020815113024.B17499@seekingfire.com>
Sender: owner-heimdal-discuss@sics.se

Tillman Hodgson wrote:
> 
> On Wed, Aug 14, 2002 at 10:33:05AM -0500, Douglas E. Engert wrote:
> > Tillman Hodgson wrote:
> > > Does the TGT-upon-login work with version 1 of the ssh protocol? I've
> > > been playing with the GSSAPI version 2 stuff, and I'd like to compare it
> > > to the version 1 stuff.
> >
> > If you are interested in the the GSSAPI for version 1, I do have mods to Simon's
> > mods. The SecureCRT product has a GSSAPI capability with  version 1, which we have been
> > using for years. We intend to drop these when the GSSAPI for version 2 is implemented.
> >
> > If you are interested, drop me a note, and what version of OpenSSH you have.
> 
> I'm more interested in the built-in supports for kerberos v5 in the ssh
> version 1 protocol. I'm trying to move away from hand-rolled ssh
> packages to ease maintainence issues :-)

Yes and so am I!

Simon's excellent mods to OpenSSH implement the IETF ssh working groups GSSAPI
authentication 
protocols. See:  http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-04.txt
The draft is close to being adopted. Hopefully the OPenSSH people will then
add Simon's mods to their distribution, addressing your comment about maintenance issues.
Since they are using the GSS-API, so you don't deal with MIT or Hiemdal API issues either. 
So using the GSSAPI is about as standard as you can get. 

> 
> If I could have an ssh login to a perimeter server also request and
> store the TGT, then I can log in once to the network from the outside
> (in a secure fashion via ssh) and have single sign-on from there on.

Yes, forwarding of a ticket, or with GSS its called delegation. 

> Eliminating the need for users to do a k5init would be great.

We do that with GSSAPI and SSHD can get an AFS token for you too.

> Is that possible with a generic openssh 3.4p1, perhaps using the version 1
> protocol?

Don't know, we are not interested in direct calls to Kerberos from SSH.  
Only via GSSAPI if at all possible. 

> 
> Thanks muchly,
> 
> - Tillman
> 
> --
> "Everything you are against weakens you. Everything you are for
> empowers you."
>         - Wayne Dyer (American Psychotherapist & Author)

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

Follow-Ups:
- Re: Heimdal and r* client programs
  - From: Tillman Hodgson <tillman@seekingfire.com>
- Re: Heimdal and r* client programs
  - From: Balazs GAL <balsa@rit.bme.hu>
- Re: Heimdal and r* client programs
  - From: Tillman Hodgson <tillman@seekingfire.com>

References:
- Heimdal and r* client programs
  - From: Tillman Hodgson <tillman@seekingfire.com>
- Re: Heimdal and r* client programs
  - From: joda@pdc.kth.se (Johan Danielsson)
- Re: Heimdal and r* client programs
  - From: Tillman Hodgson <tillman@seekingfire.com>
- Re: Heimdal and r* client programs
  - From: Tillman Hodgson <tillman@seekingfire.com>
- Re: Heimdal and r* client programs
  - From: Jason Garman <jgarman@wedgie.org>
- Re: Heimdal and r* client programs
  - From: Tillman Hodgson <tillman@seekingfire.com>
- Re: Heimdal and r* client programs
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: Heimdal and r* client programs
  - From: Tillman Hodgson <tillman@seekingfire.com>

Prev by Date: Re: Heimdal and r* client programs
Next by Date: Re: Heimdal and r* client programs
Prev by thread: Re: Heimdal and r* client programs
Next by thread: Re: Heimdal and r* client programs
Index(es):
- Date
- Thread