Subject: Re: PAM and OpenSSH
To: Love <lha@stacken.kth.se>
From: Roland Dowdeswell <elric@imrryr.org>
List: tech-userlevel
Date: 01/26/2005 14:04:37
On 1106765327 seconds since the Beginning of the UNIX epoch
Love wrote:
>
>IMO kerberos 5 support as implemented my ssh.com or the openssh version
>where both not very useful since they didn't bind the ssh connection to the
>kerberos authentication, and thus opened up the user to tunneling
>attack. Also there wasn't a mode specified for host authentication (ie a
>SSH-KEX). Basicly Kerberos was used as a glorified OTP protocol.
The Kerberos 5 support is definitely suboptimal---but I still think
that we should add them back in (late in the chain) to provide a
migration strategy for people who want to use gss-mech.
>gss-mech is real progress, however, in OpenSSH, the GSS-KEX was never
>adopted. So we still have to deal with this "please enter yes" stupidness.
Is there some problem with GSS-KEX? If not, why don't we just
plonk it into our ssh? I've been using it at home and it is quite
liberating to not have to deal with ssh's aenemic key handling.
--
Roland Dowdeswell http://www.Imrryr.ORG/~elric/