Future of kerberised telnet, login, rsh, ftp?

Douglas E. Engert deengert at anl.gov
Wed Jul 6 14:31:14 EDT 2005

OK, key exchange is needed, and is a general problem. Well where does this
stand with regards to getting the OpenSSH people to add this?
I know they know you have the mods, and that others would like to see it
added. What type of community persuasion would it take to get them to add

What I was also asking was if there where other local mods that sites also
thought they needed.

Simon Wilkinson wrote:

> Douglas E. Engert wrote:
>> I believe with version OpenSSH-4.1p1 there are no third party patches 
>> needed.
>> (Unless there is no PAM support.) We have been able to use the
>> pam session routines to get AFS tokens from delegated gssapi credentials
>> as well as from pam authentication.
>> So what patches do people still believe are needed?
> Unfortunately there is still no support in the core distribution for key 
> exchange. Without key exchange, you have to deal with the problem of 
> managing and exchanging your ssh host keys across your whole network. In 
> effect, you've got an entire additional key management issue. Given that 
> Kerberos has already solved this problem, solving it twice seems kind of 
> pointless. Certainly at my site, where we have ~1000 hosts, we couldn't 
> effectively use SSH without key exchange support.
> Some vendors (Apple, Debian) ship versions of OpenSSH with key exchange 
> support, others (Sun, VanDyke) have implemented key exchange within 
> their own codebases. For those without a helpful vendor, my patches for 
> the core OpenSSH codebase are still available.
> Cheers,
> Simon.
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev


  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list