Subject: Re: Heimdal, SSH, and my hair...
To: Peter Losher <Peter.Losher@nominum.com>
From: Ken Hornstein <email@example.com>
Date: 01/19/2001 17:37:18
>I have heard the "Use ktelnet" argument before and it is bogus - all
>ktelnet does is add Krb5 authentication into telnet. The telnet protocol,
>last I checked, didn't allow for encrypted sessions and port forwarding to
>name a few. Using ktelnet to transmit data across the public Internet is
>NOT an option for me.
Whoah, whoah, I think you need to update your info a bit. Encrypted
sessions have been supported for YEARS (in fact, I really can't think of
a Kerberos authenticated telnet which did NOT support session encryption,
but there might have been a few out there).
Now port forwarding is a bit of a stickler, but if you're forwarding
ftp, then you should just use a Kerberized ftp (they support session
encryption as well). Not OURS, unfortunately (but that's something I
need to fix RSN), but they do exist. There is a up-and-coming
specification for doing X forwarding over telnet as well (and I know
of one implementation of that).
I'm not saying SSH or telnet is "better" - I'm just pointing out that:
a) The issue is complex (_which_ SSH-K5 protocol should you use?)
b) One reason it might not have been tackled yet is that SSH isn't the
normal mode of operations for a number of Kerberos sites, so
while ssh may be a "widely used connectivity tool", that doesn't
necessarily hold true in the Kerberos world.
I'm not arguing _AGAINST_ better SSH-K5 integration, of course ... but
I guess I'm missing something - how is the current situation worse
than before Heimdal? You had to install a custom SSH before, right?