Re: [OpenAFS-devel] OpenSSH support for krb4/afs

[Martin MOKREJŠ <mmokrejs@natur.cuni.cz>]

On Thu, 4 Sep 2003, Jeffrey Hutzelman wrote:

> On Thursday, September 04, 2003 16:59:56 +0200 Harald Barth
> <haba@pdc.kth.se> wrote:
>
> >
> >>   is there anyone who would help the OpenSSH guys to include
> >> back the krb4 support? As they did not know how to fix problems,
> >> they rather removed the support as a whole. :((
> >
> > I think krb5 and AFS (with 2b) gives me everything I would need. Any
> > reason to keep v4?
> >
> > What is the status of v5 ticket forwarding in ssh today?
>
> There is a standards-track extension to the SSHv2 protocol which adds
> GSSAPI-based user authentication, including credential delegation for those
> mechanisms which support it (such as GSS-KRB5).  It has been implemented in
> a variety of SSH clients and servers; there are patches available for
> OpenSSH 3.x, and I believe the new method will be included in the upcoming
> OpenSSH 3.7 release.

Hi,
  I'd like to note that even 3.7.1p1 does not suppport krb5(the GSSAPI is
undef in config.h regardless what configure options you use). Darren Tucker
<dtucker@zip.com.au> wrote me that he'd love to accept patches for that. It
mighhappen that if someone helps, they would release 3.6.1p3 which contains
the old krb4 code with security fixes backported. For the 3.7 branch,
someone from you has to convince Theo de Raadt to put the krb4 back ... :)
I just don't get why ssh support .rhosts and why in comparison krb4 is
considered insecure.

-- 
Martin Mokrejs <mmokrejs@natur.cuni.cz>, <m.mokrejs@gsf.de>
PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
MIPS / Institute for Bioinformatics <http://mips.gsf.de>
GSF - National Research Center for Environment and Health
Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
tel.: +49-89-3187 3683 , fax: +49-89-3187 3585