Future of kerberised telnet, login, rsh, ftp?

Simon Wilkinson sxw at sxw.org.uk
Wed Jul 6 14:26:09 EDT 2005

Douglas E. Engert wrote:
> I believe with version OpenSSH-4.1p1 there are no third party patches 
> needed.
> (Unless there is no PAM support.) We have been able to use the
> pam session routines to get AFS tokens from delegated gssapi credentials
> as well as from pam authentication.
> So what patches do people still believe are needed?

Unfortunately there is still no support in the core distribution for key 
exchange. Without key exchange, you have to deal with the problem of 
managing and exchanging your ssh host keys across your whole network. In 
effect, you've got an entire additional key management issue. Given that 
Kerberos has already solved this problem, solving it twice seems kind of 
pointless. Certainly at my site, where we have ~1000 hosts, we couldn't 
effectively use SSH without key exchange support.

Some vendors (Apple, Debian) ship versions of OpenSSH with key exchange 
support, others (Sun, VanDyke) have implemented key exchange within 
their own codebases. For those without a helpful vendor, my patches for 
the core OpenSSH codebase are still available.



More information about the krbdev mailing list