Future of kerberised telnet, login, rsh, ftp?
kenh at cmf.nrl.navy.mil
Wed Jul 6 10:57:18 EDT 2005
>As a relative newcomer to the kerberos world, I'm wondering what the
>future of tools like kerberised telnet, rsh, ftp and the like is. It
>seems from my viewpoint that OpenSSH (with the gssapi mode) and things
>like pam_krb5 have taken over from these tools.
Not from my perspective (and how does pam_krb5 fit in with Kerberized
My BIG problem with OpenSSH today is that it's damn hard to get out a
useful Kerberos error (I had a discussion about this with Simon Wilkinson
at the AFS Workshop - it's sort of inherent in the current architecture
of OpenSSH). This isn't a speculative problem; I had a bunch of users for
whom GSSAPI-OpenSSH simply would not work, and we could never get an
error out. After a while of trying to debug it, I eventually gave up
and told the people that they should just use one of the other Kerberos
utilities for login (which worked fine, from what I remember).
Telnet is unfortunately a mess, but the Kerberized r-commands are
relatively simple in terms of both protocol and implementation. If I
need to add support to a particular implementation of rlogin, the work
I need to do is relatively straightforward. Telnet is more of a pain,
but it's not awful. And if I need to do some custom authorization checks
on the backend (which I have to do a lot, unfortunately), this is relatively
easy to add to telnetd & rlogind. Putting this in OpenSSH ends up
being a huge mess.
More information about the krbdev