Comments on the rlogin/kcmd thread

[Darren Reed (Optimation)]

From: "Jason Garman" <jgarman at wedgie.org>
> On Wed, Aug 07, 2002 at 03:10:35PM -0400, Sam Hartman wrote:
> > 
> > Finally, some concerns were raisd that dropping the applications would
> > make Kerberos less attractive to new users and might harm the
> > technology.  So far, we haven't seen justification of that concern
> > sufficient to make us want to continue maintaining the applications.
> > We are interested in any additional arguments in this area.
> > 
> A few thoughts:
> 
> - Most PC X server products still only have support for Kerberized Telnet
>   to launch X clients on Unix hosts... thus ktelnet will continue to be
>   an important part of those doing cross-platform single-sign-on
>   .. they're starting to integrate ssh support, but since there doesn't
>   seem to be a widely deployed standard on gssapi-ssh...

That aside, there are said to be issues with the latest OpenSSH's
"priviledge separation" code and Kerberos not working well together.
Given the number of security alerts I've seen for Kerberos vs OpenSSH
in the last 12 months (or longer), I know what I'd prefer to be using
with Kerberos from a security standpoint.

> - It's nice to have the sample applications in there to test and make
>   sure the basic functionality is working, plus it establishes a "base
>   line" functionality requirement, especially for vendors.

Definately!  This last point cannot be understated.  It is one thing for
kinit to work, but when you can "telnet -x remote" and not need to
enter the password again, you have that much more confidence in
it all working.

That said, I get the feeling that no real forward progress is going to
be made in the appl/bsd,telnet,ftp area inside MIT Kerberos, if what
Sam is saying is any indication.  If the development and maintenance
of these is to be split of separately, does this rule out shipping them
independaly when it comes time to say:
"Here's release X..Y of MIT Kerberos" ?

Darren