[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OpenAFS-devel] OpenSSH support for krb4/afs



On Tuesday 30 September 2003 08:30, Martin MOKREJŠ wrote:
> On Thu, 4 Sep 2003, Jeffrey Hutzelman wrote:
> > On Thursday, September 04, 2003 16:59:56 +0200 Harald Barth
> >
> > <haba@pdc.kth.se> wrote:
> > >>   is there anyone who would help the OpenSSH guys to include
> > >> back the krb4 support? As they did not know how to fix problems,
> > >> they rather removed the support as a whole. :((
> > >
> > > I think krb5 and AFS (with 2b) gives me everything I would need. Any
> > > reason to keep v4?
> > >
> > > What is the status of v5 ticket forwarding in ssh today?
> >
> > There is a standards-track extension to the SSHv2 protocol which adds
> > GSSAPI-based user authentication, including credential delegation for
> > those mechanisms which support it (such as GSS-KRB5).  It has been
> > implemented in a variety of SSH clients and servers; there are patches
> > available for OpenSSH 3.x, and I believe the new method will be included
> > in the upcoming OpenSSH 3.7 release.
>
> Hi,
>   I'd like to note that even 3.7.1p1 does not suppport krb5(the GSSAPI is
> undef in config.h regardless what configure options you use).

It works fine for us (from my config.h):

/* Define this is you want GSSAPI support in the version 2 protocol */
#define GSSAPI 1

/* Define if you want Kerberos 5 support */
#define KRB5 1

/* Define this if you are using the Heimdal version of Kerberos V5 */
#define HEIMDAL 1

I used configure with "--with-kerberos5=/usr/local/products/heimdal". I only 
had to change one line in configure because it was trying to use libdes 
whereas we compile Heimdal without libdes and use the des stuff from OpenSSL.
The krb5 ticket forwarding works fine for protocol version 2, the only thing 
the ssh guys didn't include in 3.7.1p2 is the external keyexchange but we can 
probably live with hostkeys for now.

> Darren Tucker
> <dtucker@zip.com.au> wrote me that he'd love to accept patches for that. It
> mighhappen that if someone helps, they would release 3.6.1p3 which contains
> the old krb4 code with security fixes backported. For the 3.7 branch,
> someone from you has to convince Theo de Raadt to put the krb4 back ... :)
> I just don't get why ssh support .rhosts and why in comparison krb4 is
> considered insecure.