Subject: Re: Heimdal, SSH, and my hair...
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
From: Peter Losher <Peter.Losher@nominum.com>
List: current-users
Date: 01/19/2001 14:03:47
On Fri, 19 Jan 2001, Ken Hornstein wrote:
> FWIW, most Kerberos sites that I'm aware of use Kerberized telnet, and
> the one shipped with NetBSD works just fine.
This is like saying that I should go from using a color DHL envelope to a
clear one to ship my confidential express mail, just because the access
point to the envelope is supported, and it only the clear envelope is
integrated into our shipping system.
I have heard the "Use ktelnet" argument before and it is bogus - all
ktelnet does is add Krb5 authentication into telnet. The telnet protocol,
last I checked, didn't allow for encrypted sessions and port forwarding to
name a few. Using ktelnet to transmit data across the public Internet is
NOT an option for me.
I had a perfectly good system in place on our NetBSD systems before
Heimdal was "integrated" into the tree, and now that it is, it has made
updating SSH with Krb5 support, to the best of my knowledge, impossible.
SSH is used every day for all of our interactive connections, and Krb5 is
used for authentication and we have no option but to keep it that way.
Now if someone has a way of getting around this, I would be happy to hear
it.
-Peter
--
Peter Losher <Peter.Losher@nominum.com>
Systems Admin. - Nominum, Inc. PGP key available on request