Future of kerberised telnet, login, rsh, ftp?
Douglas E. Engert
deengert at anl.gov
Wed Jul 6 14:31:14 EDT 2005
OK, key exchange is needed, and is a general problem. Well where does this
stand with regards to getting the OpenSSH people to add this?
I know they know you have the mods, and that others would like to see it
added. What type of community persuasion would it take to get them to add
What I was also asking was if there where other local mods that sites also
thought they needed.
Simon Wilkinson wrote:
> Douglas E. Engert wrote:
>> I believe with version OpenSSH-4.1p1 there are no third party patches
>> (Unless there is no PAM support.) We have been able to use the
>> pam session routines to get AFS tokens from delegated gssapi credentials
>> as well as from pam authentication.
>> So what patches do people still believe are needed?
> Unfortunately there is still no support in the core distribution for key
> exchange. Without key exchange, you have to deal with the problem of
> managing and exchanging your ssh host keys across your whole network. In
> effect, you've got an entire additional key management issue. Given that
> Kerberos has already solved this problem, solving it twice seems kind of
> pointless. Certainly at my site, where we have ~1000 hosts, we couldn't
> effectively use SSH without key exchange support.
> Some vendors (Apple, Debian) ship versions of OpenSSH with key exchange
> support, others (Sun, VanDyke) have implemented key exchange within
> their own codebases. For those without a helpful vendor, my patches for
> the core OpenSSH codebase are still available.
> krbdev mailing list krbdev at mit.edu
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev