Subject: Re: Heimdal, SSH, and my hair...
To: Peter Losher <>
From: Ken Hornstein <>
List: current-users
Date: 01/19/2001 17:37:18
>I have heard the "Use ktelnet" argument before and it is bogus - all
>ktelnet does is add Krb5 authentication into telnet.  The telnet protocol,
>last I checked, didn't allow for encrypted sessions and port forwarding to
>name a few.  Using ktelnet to transmit data across the public Internet is
>NOT an option for me.

Whoah, whoah, I think you need to update your info a bit.  Encrypted
sessions have been supported for YEARS (in fact, I really can't think of
a Kerberos authenticated telnet which did NOT support session encryption,
but there might have been a few out there).

Now port forwarding is a bit of a stickler, but if you're forwarding
ftp, then you should just use a Kerberized ftp (they support session
encryption as well).  Not OURS, unfortunately (but that's something I
need to fix RSN), but they do exist.  There is a up-and-coming
specification for doing X forwarding over telnet as well (and I know
of one implementation of that).

I'm not saying SSH or telnet is "better" - I'm just pointing out that:

a) The issue is complex (_which_ SSH-K5 protocol should you use?)
b) One reason it might not have been tackled yet is that SSH isn't the
   normal mode of operations for a number of Kerberos sites, so
   while ssh may be a "widely used connectivity tool", that doesn't
   necessarily hold true in the Kerberos world.

I'm not arguing _AGAINST_ better SSH-K5 integration, of course ... but
I guess I'm missing something - how is the current situation worse
than before Heimdal?  You had to install a custom SSH before, right?