[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Future of kerberised telnet, login, rsh, ftp?

To: Simon Wilkinson <sxw@sxw.org.uk>
Subject: Re: Future of kerberised telnet, login, rsh, ftp?
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Wed, 06 Jul 2005 13:31:14 -0500
Cc: Donn Cave <donn@u.washington.edu>, heimdal-discuss@sics.se, krbdev@mit.edu
In-Reply-To: <42CC2241.80904@sxw.org.uk>
References: <1120612841.6159.119.camel@amy.samba4.abartlet.net> <874qb8u1pq.fsf@windlord.stanford.edu> <54C28B4E-0543-4B5A-B024-EAC16D1CE161@u.washington.edu> <42CC1CEB.5050804@anl.gov> <42CC2241.80904@sxw.org.uk>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040803

OK, key exchange is needed, and is a general problem. Well where does this
stand with regards to getting the OpenSSH people to add this?
I know they know you have the mods, and that others would like to see it
added. What type of community persuasion would it take to get them to add
it?

What I was also asking was if there where other local mods that sites also
thought they needed.


Simon Wilkinson wrote:

> Douglas E. Engert wrote:
> 
>> I believe with version OpenSSH-4.1p1 there are no third party patches 
>> needed.
>> (Unless there is no PAM support.) We have been able to use the
>> pam session routines to get AFS tokens from delegated gssapi credentials
>> as well as from pam authentication.
>>
>> So what patches do people still believe are needed?
> 
> 
> Unfortunately there is still no support in the core distribution for key 
> exchange. Without key exchange, you have to deal with the problem of 
> managing and exchanging your ssh host keys across your whole network. In 
> effect, you've got an entire additional key management issue. Given that 
> Kerberos has already solved this problem, solving it twice seems kind of 
> pointless. Certainly at my site, where we have ~1000 hosts, we couldn't 
> effectively use SSH without key exchange support.
> 
> Some vendors (Apple, Debian) ship versions of OpenSSH with key exchange 
> support, others (Sun, VanDyke) have implemented key exchange within 
> their own codebases. For those without a helpful vendor, my patches for 
> the core OpenSSH codebase are still available.
> 
> Cheers,
> 
> Simon.
> _______________________________________________
> krbdev mailing list             krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

References:
- Future of kerberised telnet, login, rsh, ftp?
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Future of kerberised telnet, login, rsh, ftp?
  - From: "Douglas E. Engert" <deengert@anl.gov>

Prev by Date: Re: Future of kerberised telnet, login, rsh, ftp?
Next by Date: Re: Future of kerberised telnet, login, rsh, ftp?
Prev by thread: Re: Future of kerberised telnet, login, rsh, ftp?
Next by thread: Re: Future of kerberised telnet, login, rsh, ftp?
Index(es):
- Date
- Thread