Future of kerberised telnet, login, rsh, ftp?

classic Classic list List threaded Threaded
33 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Future of kerberised telnet, login, rsh, ftp?

Andrew Bartlett
As a relative newcomer to the kerberos world, I'm wondering what the
future of tools like kerberised telnet, rsh, ftp and the like is.  It
seems from my viewpoint that OpenSSH (with the gssapi mode) and things
like pam_krb5 have taken over from these tools.

I note that recent security advisories for both distributions were in
these 'utility' programs (telnet, ftpd etc) rather than in the core
kerberos code.  

Do these tools still have wide use?  Is there a plan to phase them out,
or maintain them separately to the main kerberos distribution?

(This was brought up by a look we are taking on samba-technical about
what proportion of Heimdal to import, with a strong view to avoid
including these apps).

Andrew Bartlett
--
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Future of kerberised telnet, login, rsh, ftp?

Jeffrey Altman-4
Andrew:

These tools still have extremely wide use.   I cannot speak for Heimdal
but my opinion regarding the MIT distribution is that these apps should
be separated from the core libraries and be maintained and distributed
in an independent package.

Telnet for example should be built using OpenSSL to provide START-TLS
and Kerberos 5 for authentication using the TLS finished messages as
channel bindings.   As long as the apps are shipped and built within
Kerberos there becomes a chicken and egg situation.   TLS cannot be
built with Kerberos ciphers if the Kerberos distribution contains apps
that must be built with TLS.

I anticipate that MIT will be able to announce in the near future that
these apps will be removed in a future release.

Jeffrey Altman


Andrew Bartlett wrote:

> As a relative newcomer to the kerberos world, I'm wondering what the
> future of tools like kerberised telnet, rsh, ftp and the like is.  It
> seems from my viewpoint that OpenSSH (with the gssapi mode) and things
> like pam_krb5 have taken over from these tools.
>
> I note that recent security advisories for both distributions were in
> these 'utility' programs (telnet, ftpd etc) rather than in the core
> kerberos code.  
>
> Do these tools still have wide use?  Is there a plan to phase them out,
> or maintain them separately to the main kerberos distribution?
>
> (This was brought up by a look we are taking on samba-technical about
> what proportion of Heimdal to import, with a strong view to avoid
> including these apps).
>
> Andrew Bartlett
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Future of kerberised telnet, login, rsh, ftp?

Russ Allbery
In reply to this post by Andrew Bartlett
Andrew Bartlett <[hidden email]> writes:

> As a relative newcomer to the kerberos world, I'm wondering what the
> future of tools like kerberised telnet, rsh, ftp and the like is.  It
> seems from my viewpoint that OpenSSH (with the gssapi mode) and things
> like pam_krb5 have taken over from these tools.

I would hope that it could eventually, but OpenSSH's GSSAPI support is
currently not sufficient to allow it to do so.  For so long as one needs
third-party patches to OpenSSH for adequate Kerberos support, I don't
think that we're ready to live in that world.

I'm still also seriously concerned about the security implications of
moving from these tools to OpenSSH, and in particular with moving away
from the extremely simple rlogin and rsh protocols to the extremely
complex SSH protocol.  They have very solid track records, whereas OpenSSH
is one of the most heavily attacked programs out there and until recently
was one of the largest sources of major security vulnerabilities.  While
simplicity and obscurity are not actual security measures, they *are*
ameliorating effects; the number of attacks on klogind is easily three
orders of magnitude below the number of attacks on OpenSSH on
Internet-exposed systems.

My expectation for MIT Kerberos is that, at some point, these clients will
be split off from the core distribution and will be maintained separately.
I've volunteered to help with that maintenance and with the release
management for such a project.  My personal interest is in the rlogin and
rsh implementations, but there are significant telnet improvements that
could also be made should people have the interest.

--
Russ Allbery ([hidden email])             <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Future of kerberised telnet, login, rsh, ftp?

Howard Chu
In reply to this post by Andrew Bartlett
Andrew Bartlett wrote:

> As a relative newcomer to the kerberos world, I'm wondering what the
> future of tools like kerberised telnet, rsh, ftp and the like is.  It
> seems from my viewpoint that OpenSSH (with the gssapi mode) and things
> like pam_krb5 have taken over from these tools.
>
> I note that recent security advisories for both distributions were in
> these 'utility' programs (telnet, ftpd etc) rather than in the core
> kerberos code.  
>
> Do these tools still have wide use?  Is there a plan to phase them out,
> or maintain them separately to the main kerberos distribution?
>
> (This was brought up by a look we are taking on samba-technical about
> what proportion of Heimdal to import, with a strong view to avoid
> including these apps).

Just echoing that. I avoid using them as well, and we often run into
difficulties porting these programs to our supported platforms. Their
base code seems to be quite ancient, and ssh has supserseded all of
their usefulness.

--
   -- Howard Chu
   Chief Architect, Symas Corp.       Director, Highland Sun
   http://www.symas.com               http://highlandsun.com/hyc
   Symas: Premier OpenSource Development and Support
Reply | Threaded
Open this post in threaded view
|

Re: Future of kerberised telnet, login, rsh, ftp?

Ilia Chipitsine
In reply to this post by Andrew Bartlett
> As a relative newcomer to the kerberos world, I'm wondering what the
> future of tools like kerberised telnet, rsh, ftp and the like is.  It
> seems from my viewpoint that OpenSSH (with the gssapi mode) and things
> like pam_krb5 have taken over from these tools.

when using kerberised telnet, there's no clear text password exchange.
telnet requests a key from kerberos server and that communication is
encrypted.

as for pam_krb5, there's clear text password exchange between telnet and
server, only server<-->kerberos connection is encrypted.

so, I wouldn't consider telnet+pam_krb5 as replacement for kerberised
telnet.

>
> I note that recent security advisories for both distributions were in
> these 'utility' programs (telnet, ftpd etc) rather than in the core
> kerberos code.
>
> Do these tools still have wide use?  Is there a plan to phase them out,
> or maintain them separately to the main kerberos distribution?
>
> (This was brought up by a look we are taking on samba-technical about
> what proportion of Heimdal to import, with a strong view to avoid
> including these apps).
>
> Andrew Bartlett
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
> Authentication Developer, Samba Team           http://samba.org
> Student Network Administrator, Hawker College  http://hawkerc.net
>
Reply | Threaded
Open this post in threaded view
|

Re: Future of kerberised telnet, login, rsh, ftp?

Andrew Bartlett
On Wed, 2005-07-06 at 09:31 +0600, Ilia Chipitsine wrote:

> > As a relative newcomer to the kerberos world, I'm wondering what the
> > future of tools like kerberised telnet, rsh, ftp and the like is.  It
> > seems from my viewpoint that OpenSSH (with the gssapi mode) and things
> > like pam_krb5 have taken over from these tools.
>
> when using kerberised telnet, there's no clear text password exchange.
> telnet requests a key from kerberos server and that communication is
> encrypted.
>
> as for pam_krb5, there's clear text password exchange between telnet and
> server, only server<-->kerberos connection is encrypted.
>
> so, I wouldn't consider telnet+pam_krb5 as replacement for kerberised
> telnet.
Indeed, I was referring to kerberised 'login' as being superseded by PAM
and pam_krb5, in particular on Linux systems.

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Future of kerberised telnet, login, rsh, ftp?

Michael Graff-2
In reply to this post by Jeffrey Altman-4
On Tuesday 05 July 2005 21:29, Jeffrey Altman scribbled:
> Andrew:
>
> These tools still have extremely wide use.   I cannot speak for Heimdal
> but my opinion regarding the MIT distribution is that these apps should
> be separated from the core libraries and be maintained and distributed
> in an independent package.

I'm not certain if you are looking beyond MIT's use and into other areas, but
most places I know of use Kerberos 5 as an authentication server and ignore
all of rsh, rcp, telnet, ftp, etc.  Why?  The system tools do kerberos well
enough, and installing another set of tools is a pain.

--Michael

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

attachment0 (403 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Future of kerberised telnet, login, rsh, ftp?

Ken Hornstein
In reply to this post by Andrew Bartlett
>As a relative newcomer to the kerberos world, I'm wondering what the
>future of tools like kerberised telnet, rsh, ftp and the like is.  It
>seems from my viewpoint that OpenSSH (with the gssapi mode) and things
>like pam_krb5 have taken over from these tools.

Not from my perspective (and how does pam_krb5 fit in with Kerberized
telnet/rsh/ftp ?)

My BIG problem with OpenSSH today is that it's damn hard to get out a
useful Kerberos error (I had a discussion about this with Simon Wilkinson
at the AFS Workshop - it's sort of inherent in the current architecture
of OpenSSH).  This isn't a speculative problem; I had a bunch of users for
whom GSSAPI-OpenSSH simply would not work, and we could never get an
error out.  After a while of trying to debug it, I eventually gave up
and told the people that they should just use one of the other Kerberos
utilities for login (which worked fine, from what I remember).

Telnet is unfortunately a mess, but the Kerberized r-commands are
relatively simple in terms of both protocol and implementation.  If I
need to add support to a particular implementation of rlogin, the work
I need to do is relatively straightforward.  Telnet is more of a pain,
but it's not awful.  And if I need to do some custom authorization checks
on the backend (which I have to do a lot, unfortunately), this is relatively
easy to add to telnetd & rlogind.  Putting this in OpenSSH ends up
being a huge mess.

--Ken
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Future of kerberised telnet, login, rsh, ftp?

Ken Hornstein
In reply to this post by Howard Chu
>Just echoing that. I avoid using them as well, and we often run into
>difficulties porting these programs to our supported platforms. Their
>base code seems to be quite ancient, and ssh has supserseded all of
>their usefulness.

You're kidding, right?  What's hard about porting these programs?  I've
ported Kerberos to all sorts of wacky systems, and these things rarely
give me problems.

I'll give you login.krb5 can be kinda squirrly, but you don't need that
on the client side, and you could probably get away with invoking the
system login program from the server daemons (I don't, but that's because
I need to do a bunch of stuff at login time, and I have to run on systems
that don't support PAM).  Even my much-hacked login.krb5 hasn't been
too much trouble.

--Ken
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Future of kerberised telnet, login, rsh, ftp?

Simon Wilkinson-2
In reply to this post by Ken Hornstein
Ken Hornstein wrote:
> My BIG problem with OpenSSH today is that it's damn hard to get out a
> useful Kerberos error (I had a discussion about this with Simon Wilkinson
> at the AFS Workshop - it's sort of inherent in the current architecture
> of OpenSSH).

Thinking back, I perhaps didn't make this clear. Both client and server
error messages should be readily available on their respective machines.
Server side GSSAPI errors currently go into the debug logs - you should
be able to see these by running the server with the '-d' option. It's
arguable that these should go into the system logs, although when they
did, people complained about the verbosity.

Errors on the client are either sent to stdout, or will be visible when
the client is run with the '-v' option.

The issue is with transmitting server errors back to the client for
display. As well as being a religous issue (how much information should
a server provide to the client about why their authentication failed),
doing so is also complicated by the internal architecture of OpenSSH.

Hope that clears things up!

Cheers,

Simon.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Future of kerberised telnet, login, rsh, ftp?

Ken Hornstein
>Thinking back, I perhaps didn't make this clear. Both client and server
>error messages should be readily available on their respective machines.
>Server side GSSAPI errors currently go into the debug logs - you should
>be able to see these by running the server with the '-d' option. It's
>arguable that these should go into the system logs, although when they
>did, people complained about the verbosity.

I wasn't aware of that, but it wouldn't have helped me in this case; the
systems in question weren't under our control, and it was easier to tell
the person to use a non-ssh client that to get the admin involved.  I know
this sounds weird, but the systems were in a timezone relatively far from
mine and the admin was hard to reach; we had to do a lot of coordination
to get ahold of each other, and it was a problem that had to be solved
within a relatively short time period.

>Errors on the client are either sent to stdout, or will be visible when
>the client is run with the '-v' option.

We _did_ try that, but nothing useful came back.

>The issue is with transmitting server errors back to the client for
>display. As well as being a religous issue (how much information should
>a server provide to the client about why their authentication failed),
>doing so is also complicated by the internal architecture of OpenSSH.

Right, this is what I was thinking of.  The majority of problems that I
see involved errors from processing the AP_REQ; _those_ are the
important ones to get back to the client.  All of those "obsolete"
Kerberos programs send back any errors encountered on the server, which
is invaluable for debugging.

--Ken
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Future of kerberised telnet, login, rsh, ftp?

Donn Cave
In reply to this post by Russ Allbery
On Jul 5, 2005, at 7:07 PM, Russ Allbery wrote:
[... re ssh supplanting telnet/ftp ...]
> I would hope that it could eventually, but OpenSSH's GSSAPI support is
> currently not sufficient to allow it to do so.  For so long as one  
> needs
> third-party patches to OpenSSH for adequate Kerberos support, I don't
> think that we're ready to live in that world.

And that's just one ssh implementation.  Has anyone
heard rumors of movement towards the "adequate"
brand of GSSAPI support in ssh.com's implementation?
I can't really defend the choice to use ssh.com, but in
practice it's significant enough to make it even less
realistic to call SSH2 a Kerberos option.

     Donn Cave, [hidden email]


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Future of kerberised telnet, login, rsh, ftp?

Douglas E. Engert


Donn Cave wrote:

> On Jul 5, 2005, at 7:07 PM, Russ Allbery wrote:
> [... re ssh supplanting telnet/ftp ...]
>
>> I would hope that it could eventually, but OpenSSH's GSSAPI support is
>> currently not sufficient to allow it to do so.  For so long as one  needs
>> third-party patches to OpenSSH for adequate Kerberos support, I don't
>> think that we're ready to live in that world.


I believe with version OpenSSH-4.1p1 there are no third party patches needed.
(Unless there is no PAM support.) We have been able to use the
pam session routines to get AFS tokens from delegated gssapi credentials
as well as from pam authentication.

So what patches do people still believe are needed?

>
>
> And that's just one ssh implementation.  Has anyone
> heard rumors of movement towards the "adequate"
> brand of GSSAPI support in ssh.com's implementation?

Don't know about ssh.com, But SecureCRT and PuTTY (with patches)
works well with OpenSSH and Kerberos.


> I can't really defend the choice to use ssh.com, but in
> practice it's significant enough to make it even less
> realistic to call SSH2 a Kerberos option.
>
>     Donn Cave, [hidden email]
>
>
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Future of kerberised telnet, login, rsh, ftp?

Russ Allbery
Douglas E Engert <[hidden email]> writes:

> I believe with version OpenSSH-4.1p1 there are no third party patches
> needed.  (Unless there is no PAM support.) We have been able to use the
> pam session routines to get AFS tokens from delegated gssapi credentials
> as well as from pam authentication.

> So what patches do people still believe are needed?

GSSAPI key exchange.  I'm already keying all of my hosts once with
Kerberos.  They should not have separate RSA keys that also have to be
kept secure and unchanging.

--
Russ Allbery ([hidden email])             <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Future of kerberised telnet, login, rsh, ftp?

Simon Wilkinson-2
In reply to this post by Douglas E. Engert
Douglas E. Engert wrote:
> I believe with version OpenSSH-4.1p1 there are no third party patches
> needed.
> (Unless there is no PAM support.) We have been able to use the
> pam session routines to get AFS tokens from delegated gssapi credentials
> as well as from pam authentication.
>
> So what patches do people still believe are needed?

Unfortunately there is still no support in the core distribution for key
exchange. Without key exchange, you have to deal with the problem of
managing and exchanging your ssh host keys across your whole network. In
effect, you've got an entire additional key management issue. Given that
Kerberos has already solved this problem, solving it twice seems kind of
pointless. Certainly at my site, where we have ~1000 hosts, we couldn't
effectively use SSH without key exchange support.

Some vendors (Apple, Debian) ship versions of OpenSSH with key exchange
support, others (Sun, VanDyke) have implemented key exchange within
their own codebases. For those without a helpful vendor, my patches for
the core OpenSSH codebase are still available.

Cheers,

Simon.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Future of kerberised telnet, login, rsh, ftp?

Douglas E. Engert
OK, key exchange is needed, and is a general problem. Well where does this
stand with regards to getting the OpenSSH people to add this?
I know they know you have the mods, and that others would like to see it
added. What type of community persuasion would it take to get them to add
it?

What I was also asking was if there where other local mods that sites also
thought they needed.


Simon Wilkinson wrote:

> Douglas E. Engert wrote:
>
>> I believe with version OpenSSH-4.1p1 there are no third party patches
>> needed.
>> (Unless there is no PAM support.) We have been able to use the
>> pam session routines to get AFS tokens from delegated gssapi credentials
>> as well as from pam authentication.
>>
>> So what patches do people still believe are needed?
>
>
> Unfortunately there is still no support in the core distribution for key
> exchange. Without key exchange, you have to deal with the problem of
> managing and exchanging your ssh host keys across your whole network. In
> effect, you've got an entire additional key management issue. Given that
> Kerberos has already solved this problem, solving it twice seems kind of
> pointless. Certainly at my site, where we have ~1000 hosts, we couldn't
> effectively use SSH without key exchange support.
>
> Some vendors (Apple, Debian) ship versions of OpenSSH with key exchange
> support, others (Sun, VanDyke) have implemented key exchange within
> their own codebases. For those without a helpful vendor, my patches for
> the core OpenSSH codebase are still available.
>
> Cheers,
>
> Simon.
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Future of kerberised telnet, login, rsh, ftp?

Donn Cave
On Jul 6, 2005, at 11:31 AM, Douglas E. Engert wrote:

> OK, key exchange is needed, and is a general problem. Well where  
> does this
> stand with regards to getting the OpenSSH people to add this?
> I know they know you have the mods, and that others would like to  
> see it
> added. What type of community persuasion would it take to get them  
> to add
> it?
>
> What I was also asking was if there where other local mods that  
> sites also
> thought they needed.

Some vendors ship OpenSSH patched to support [hidden email].
I don't expect anyone here is going to sign any petitions for that, but
it does suggest that some site thinks they need it.

     Donn Cave, [hidden email]


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Future of kerberised telnet, login, rsh, ftp?

Russ Allbery
In reply to this post by Douglas E. Engert
Douglas E Engert <[hidden email]> writes:

> OK, key exchange is needed, and is a general problem. Well where does
> this stand with regards to getting the OpenSSH people to add this?  I
> know they know you have the mods, and that others would like to see it
> added. What type of community persuasion would it take to get them to
> add it?

> What I was also asking was if there where other local mods that sites
> also thought they needed.

If OpenSSH had key exchange in the standard source tree, I'd be happy with
it as an SSH server (and client) and could just use PAM for all the
non-GSSAPI stuff for clients that don't understand GSSAPI yet.

Ken's problem with error reporting still remains, however, as to my
concerns over protocol simplicity and security.  I'm not sure if those
remaining issues would keep many people using Kerberos rlogin/rsh/telnet
(I question telnet the most because it *doesn't* have protocol simplicity
or a strong security track record going for it), though.

--
Russ Allbery ([hidden email])             <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Future of kerberised telnet, login, rsh, ftp?

Simon Wilkinson
In reply to this post by Douglas E. Engert
Douglas E. Engert wrote:
> OK, key exchange is needed, and is a general problem. Well where does this
> stand with regards to getting the OpenSSH people to add this?
> I know they know you have the mods, and that others would like to see it
> added. What type of community persuasion would it take to get them to add
> it?

I'm working at the moment in unifying a number of disparate versions of
the key exchange patch set into a unified code base, and then seperating
the code out into functional sets.

Once that work is complete, I plan on presenting a minimal
implementation of key exchange to the OpenSSH folks again. At this
point, it would be really useful if a number of people from the Kerberos
community would be prepared to perform code reviews on the changes.
Hopefully the I-D describing key exchange will be in, or past, last call
by this point too.

I'll keep you all posted.

Cheers,

Simon.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Future of kerberised telnet, login, rsh, ftp?

Andrew Bartlett
In reply to this post by Ken Hornstein
On Wed, 2005-07-06 at 10:57 -0400, Ken Hornstein wrote:
> >As a relative newcomer to the kerberos world, I'm wondering what the
> >future of tools like kerberised telnet, rsh, ftp and the like is.  It
> >seems from my viewpoint that OpenSSH (with the gssapi mode) and things
> >like pam_krb5 have taken over from these tools.
>
> Not from my perspective (and how does pam_krb5 fit in with Kerberized
> telnet/rsh/ftp ?)

That I was meaning in regard to kerberised /sbin/login.  BTW, do people
ever try to do kerberised gdm/xdm without PAM?

> My BIG problem with OpenSSH today is that it's damn hard to get out a
> useful Kerberos error (I had a discussion about this with Simon Wilkinson
> at the AFS Workshop - it's sort of inherent in the current architecture
> of OpenSSH).  This isn't a speculative problem; I had a bunch of users for
> whom GSSAPI-OpenSSH simply would not work, and we could never get an
> error out.  After a while of trying to debug it, I eventually gave up
> and told the people that they should just use one of the other Kerberos
> utilities for login (which worked fine, from what I remember).
>
> Telnet is unfortunately a mess, but the Kerberized r-commands are
> relatively simple in terms of both protocol and implementation.  If I
> need to add support to a particular implementation of rlogin, the work
> I need to do is relatively straightforward.  Telnet is more of a pain,
> but it's not awful.  And if I need to do some custom authorization checks
> on the backend (which I have to do a lot, unfortunately), this is relatively
> easy to add to telnetd & rlogind.  Putting this in OpenSSH ends up
> being a huge mess.
Now I know the world doesn't run PAM, but isn't that the place for a PAM
account module?  (Perhaps one of the few things PAM does particularly
well).

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

signature.asc (196 bytes) Download Attachment
12