-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 16 May 2003, Gabriel Kihlman wrote:

>Roland Dowdeswell <elric@imrryr.org> writes:
>
>> On 1052934412 seconds since the Beginning of the UNIX epoch
>> Jun-ichiro itojun Hagino wrote:
>>>
>>>	krb5 support for ssh2 is committed to openssh main tree (usr.bin/ssh
>>>	in openbsd).  if anyone cares, i can bring the portion in.  let me know
>>
>> Thanks for adding this.  Speaking of which there appears to be some
>> patches that add GSSAPI support to OpenSSH in a much better way.  Why
>> don't we consider adding these?
>>
>> http://www.sxw.org.uk/computing/patches/openssh.html
>
>One good reason is mentioned by Damien Miller here:
>http://www.mindrot.org/pipermail/openssh-unix-dev/2003-May/018257.html
>
>Following that thread would probably be fruitful if you want to
>decide on which direction you want to go.

So I read (a chunk of) the thread, and I've gotta say, I'm not
convinced.  Sure, doing krb5 in ssh2 the right way (via gssapi) involves
more code.  This is not in of itself a strike against it.  If anything,
the code Roland linked, which is apparently in daily use, may be a
better bet than code done locally to the OpenSSH group, whose leadership
have said repeatedly that they don't use kerberos, and thus are not
willing to make any large effort in the direction of supporting it.

Kerberos (any) support in Openssh with privsep, for example, is broken
in a peculiarly boneheaded way, and has been since the introduction of
privsep.  How much confidence, then, should I put in the OpenSSH group's
choice of krb5/ssh integration code?

- -- 
				Jim Wise
				jwise@draga.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (NetBSD)

iD8DBQE+xairlGcH240chEIRAuNTAJ9NC6uneffJghpvfSdzpNQCGnaoIQCbBX6q
Rk9l27Ga+vkYRKKeXEh7bYg=
=7OVy
-----END PGP SIGNATURE-----