kr-cmds and dropping login.krb5 (was RE: Is anyone or a group of people able to maintain appl/bsd betterthan MIT)

Russ Allbery rra at
Wed Jul 24 17:31:01 EDT 2002

Nicolas Williams <Nicolas.Williams at> writes:

> I see no reason not to use OpenSSH w/ Simon's patches. Bugs are bugs;
> they happen.

We differ in our opinions there, I think.

> And it so happens that OpenSSH is easier to maintain than the MIT
> BSD-derived kerberized r-commands and login.krb5; well, to me it is.
> It's all in the eye of the beholder, I suppose,

Very much so.

> And this is as it should be. I would like the MIT folk to be able to
> concentrate on improving the libraries and the KDC/kadmin stuff - the
> core of MIT krb5.

I think that we can all agree on that.  I'm just pointing out that the r*
commands are not going to go away and that some of us will continue to
need to maintain them in some fashion for at least the time being.
Regardless of the merits of yours or my arguments, we're not going to
switch to OpenSSH as our primary access method in the next year or even
the next two.

> Well, let's see, OpenSSH w/ Simon's GSS patches and MIT or Heimdal krb5
> supports the use of GSS/Kerberos for network authentication, and the
> sshd doesn't actually need or use login.krb5, not at all.

I'm not really interested in hearing arguments about how we should change
our infrastructure at this time.  I understand the issues and I'll make up
my own mind on that point.

> IMO, krlogin/klogind/krsh/krshd should be easy to implement and maintain
> if:

>  - login.krb5 is dropped (krsh/krshd doesn't use login.krb5)
>  - krb4 support is dropped

> Dropping login.krb5 requires that /bin/login support the -f option,
> which is indeed generally supported by OSs that support rlogind /
> ruserok().

> Consider that dropping login.krb5 means dropping all that ugly
> OS-specific code, such as the utmp code.

This, on the other hand, is worth at least examining, although it sticks
in my mind that we've tried this before and it didn't work.  But I don't
remember the exact details on why it didn't work.

Russ Allbery (rra at             <>

More information about the krbdev mailing list