GSSAPIDelegateCredentials only works for REQUIRES_PRE_AUTH principals?

Simon Wilkinson simon at sxw.org.uk
Tue Jun 8 17:28:19 EDT 2010


On 8 Jun 2010, at 22:05, Russ Allbery wrote:
>> In general I find that sshd really does a very poor job explaining the
>> reason why things went wrong when it comes to Kerberos/GSSAPI.  I've got
>> some free cycles this summer that I can put towards fixing that if it's
>> something that can be fixed.
> 
> I haven't looked at the code personally, but what I recall from what other
> people have said is that the code is structured so that doing proper error
> reporting is fairly difficult.

There's a few factors at play here.

Firstly, the client only reports GSSAPI errors if it's run with the -v flag. This was a requirement when the code was originally pulled into OpenSSH, as they wanted to avoid alarming users who knew nothing about Kerberos/GSSAPI with the opaque error messages produced by GSSAPI at the time. Fixing this would be fairly straightforwards - getting those fixes into OpenSSH, less so.

Secondly, GSSAPI libraries have historically produced pretty poor error messages "See etext for details" being a great example of this. The only way to solve this is to improve the information that comes out of your library. I think MIT have done some recent work on this.

Thirdly, there's no communication of server errors back to the client. This is partly deliberate, as telling the client why an operation failed can, in some environments, be an information leak. My original GSSAPI patch had support for sending this information, based on configuration settings. When I was trying to get the GSSAPI code into OpenSSH, this was one of the things that got dropped in order to reduce code complexity.

>  It can also quite hard to get OpenSSH upstream to take GSSAPI-related patches, depending on how those patches strike them.

Unless you have the patience and perseverance of Sisyphus, I wouldn't even consider trying to get GSSAPI code into OpenSSH. Success in getting even small, platform compatibility based changes into the upstream distribution has been geologically slow at best.

Cheers,

Simon.





More information about the Kerberos mailing list