Future of kerberised telnet, login, rsh, ftp?
Simon Wilkinson
sxw at sxw.org.uk
Wed Jul 6 11:35:01 EDT 2005
Ken Hornstein wrote:
> My BIG problem with OpenSSH today is that it's damn hard to get out a
> useful Kerberos error (I had a discussion about this with Simon Wilkinson
> at the AFS Workshop - it's sort of inherent in the current architecture
> of OpenSSH).
Thinking back, I perhaps didn't make this clear. Both client and server
error messages should be readily available on their respective machines.
Server side GSSAPI errors currently go into the debug logs - you should
be able to see these by running the server with the '-d' option. It's
arguable that these should go into the system logs, although when they
did, people complained about the verbosity.
Errors on the client are either sent to stdout, or will be visible when
the client is run with the '-v' option.
The issue is with transmitting server errors back to the client for
display. As well as being a religous issue (how much information should
a server provide to the client about why their authentication failed),
doing so is also complicated by the internal architecture of OpenSSH.
Hope that clears things up!
Cheers,
Simon.
More information about the krbdev
mailing list