gssapi/openssh

Simon Wilkinson sxw at warspite.inf.ed.ac.uk
Wed Apr 30 13:25:47 EDT 2003


On Wed, 30 Apr 2003, peter duff wrote:
> I have patched openssh 3.4p1 with simon's gssapi patch, (great job by the
> way).

There'll be a patch for openssh 3.6.1p2 available in the next few days.
This brings the patch up to compliance with the latest version of the
draft, as well as fixing some encoding issues.

> 1. Does the ssh client support running kinit (locally) to first attempt to
> get a tgt if one doesnt exist?

No, it doesn't. Philosophically, I don't think that its the job of the
client to go out and get credentials, if none exist. Practically, doing
so would require the client to know about the underlying GSSAPI mechanism,
which at present it doesn't need to.

> 2. I discovered that if I "ssh localhost", and principal of host/localhost
> is requested from the TGS.  This is clearly not desired, but makes perfect
> sense.

I'm looking at a patch which would fix this behaviour. However, I'm
concerned
  a) That the current behaviour satisfies the principle of least
     astonishment. If the user typed 'ssh localhost', then that might be
     what they meant.
  b) That there may be GSSAPI mechanisms where 'ssh localhost' actually
     makes sense

Cheers,

Simon.




More information about the Kerberos mailing list