Future of kerberised telnet, login, rsh, ftp?

Simon Wilkinson sxw at sxw.org.uk
Wed Jul 6 11:35:01 EDT 2005

Ken Hornstein wrote:
> My BIG problem with OpenSSH today is that it's damn hard to get out a
> useful Kerberos error (I had a discussion about this with Simon Wilkinson
> at the AFS Workshop - it's sort of inherent in the current architecture
> of OpenSSH). 

Thinking back, I perhaps didn't make this clear. Both client and server 
error messages should be readily available on their respective machines. 
Server side GSSAPI errors currently go into the debug logs - you should 
be able to see these by running the server with the '-d' option. It's 
arguable that these should go into the system logs, although when they 
did, people complained about the verbosity.

Errors on the client are either sent to stdout, or will be visible when 
the client is run with the '-v' option.

The issue is with transmitting server errors back to the client for 
display. As well as being a religous issue (how much information should 
a server provide to the client about why their authentication failed), 
doing so is also complicated by the internal architecture of OpenSSH.

Hope that clears things up!



More information about the krbdev mailing list