tech-security: Re: gssapi for ssh2 (was Re: krb5 for ssh2)

Subject: Re: gssapi for ssh2 (was Re: krb5 for ssh2)
To: Roland Dowdeswell <elric@imrryr.org>
From: Jim Wise <jwise@draga.com>
List: tech-security
Date: 07/24/2003 17:02:46

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 24 Jul 2003, Jim Wise wrote:

>On Thu, 15 May 2003, Roland Dowdeswell wrote:
>
>>On 1052934412 seconds since the Beginning of the UNIX epoch
>>Jun-ichiro itojun Hagino wrote:
>>>
>>>	krb5 support for ssh2 is committed to openssh main tree (usr.bin/ssh
>>>	in openbsd).  if anyone cares, i can bring the portion in.  let me know
>>
>>Thanks for adding this.  Speaking of which there appears to be some
>>patches that add GSSAPI support to OpenSSH in a much better way.  Why
>>don't we consider adding these?
>>
>>http://www.sxw.org.uk/computing/patches/openssh.html
>
>I have a working pkgsrc package for openssh + the later version of this
>code, which I will be committing tonight.  Once a few issues with the
>pkg are worked out, this should provide a good basis for a decision as
>to whether we want this code in base...

This is now done.  From the commit message:

Import package for openssh+gssapi, which is openssh-3.6.1p2 with version
20030430 of the GSSAPI patches from

	http://www.sxw.org.uk/computing/patches/openssh.html

.  From the site:

  The patches on this page are concerned with adding support for
  authenticating users via their Kerberos credentials, and allowing
  authenticated users to forward their credentials to a remote
  machine over ssh.

  These patches are against various versions of the OpenSSH portable
  code. SSH has both a legacy protocol version 1, and a newer,
  protocol version 2 (which is being standardised in the IETF).
  Techniques exist for performing Kerberos authentication over both
  protocols, and GSSAPI authentication over protocol version 2.

In this package standard ssh support for kerberos versions 4 and 5 is kept
for version 1 of the ssh protocol (openssh does not support kerberos 4 in
ssh protocol version 2).

These patches, which provide a much more thorough implementation of kerberos
5 support than that shipped with openssh, are pkg'ed here with an eye toward
evaluation of their usefullness for inclusion in the base os.

- -- 
				Jim Wise
				jwise@draga.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (NetBSD)

iD8DBQE/IEl6lGcH240chEIRAnYbAKCiEjKS+1wFvzoALZNapWDv2yvWywCfYA/q
79Jm9vV/w1zY7HEbrCyIcgY=
=0p+i
-----END PGP SIGNATURE-----