Future of kerberised telnet, login, rsh, ftp?

Ken Hornstein kenh at cmf.nrl.navy.mil
Wed Jul 6 10:57:18 EDT 2005

>As a relative newcomer to the kerberos world, I'm wondering what the
>future of tools like kerberised telnet, rsh, ftp and the like is.  It
>seems from my viewpoint that OpenSSH (with the gssapi mode) and things
>like pam_krb5 have taken over from these tools.

Not from my perspective (and how does pam_krb5 fit in with Kerberized
telnet/rsh/ftp ?)

My BIG problem with OpenSSH today is that it's damn hard to get out a
useful Kerberos error (I had a discussion about this with Simon Wilkinson
at the AFS Workshop - it's sort of inherent in the current architecture
of OpenSSH).  This isn't a speculative problem; I had a bunch of users for
whom GSSAPI-OpenSSH simply would not work, and we could never get an
error out.  After a while of trying to debug it, I eventually gave up
and told the people that they should just use one of the other Kerberos
utilities for login (which worked fine, from what I remember).

Telnet is unfortunately a mess, but the Kerberized r-commands are
relatively simple in terms of both protocol and implementation.  If I
need to add support to a particular implementation of rlogin, the work
I need to do is relatively straightforward.  Telnet is more of a pain,
but it's not awful.  And if I need to do some custom authorization checks
on the backend (which I have to do a lot, unfortunately), this is relatively
easy to add to telnetd & rlogind.  Putting this in OpenSSH ends up
being a huge mess.


More information about the krbdev mailing list