Future of kerberised telnet, login, rsh, ftp?
sxw at sxw.org.uk
Wed Jul 6 14:26:09 EDT 2005
Douglas E. Engert wrote:
> I believe with version OpenSSH-4.1p1 there are no third party patches
> (Unless there is no PAM support.) We have been able to use the
> pam session routines to get AFS tokens from delegated gssapi credentials
> as well as from pam authentication.
> So what patches do people still believe are needed?
Unfortunately there is still no support in the core distribution for key
exchange. Without key exchange, you have to deal with the problem of
managing and exchanging your ssh host keys across your whole network. In
effect, you've got an entire additional key management issue. Given that
Kerberos has already solved this problem, solving it twice seems kind of
pointless. Certainly at my site, where we have ~1000 hosts, we couldn't
effectively use SSH without key exchange support.
Some vendors (Apple, Debian) ship versions of OpenSSH with key exchange
support, others (Sun, VanDyke) have implemented key exchange within
their own codebases. For those without a helpful vendor, my patches for
the core OpenSSH codebase are still available.
More information about the krbdev