Future of kerberised telnet, login, rsh, ftp?

Andrew Bartlett abartlet at samba.org
Wed Jul 6 18:36:19 EDT 2005 

On Wed, 2005-07-06 at 10:57 -0400, Ken Hornstein wrote:
> >As a relative newcomer to the kerberos world, I'm wondering what the
> >future of tools like kerberised telnet, rsh, ftp and the like is.  It
> >seems from my viewpoint that OpenSSH (with the gssapi mode) and things
> >like pam_krb5 have taken over from these tools.
> 
> Not from my perspective (and how does pam_krb5 fit in with Kerberized
> telnet/rsh/ftp ?)

That I was meaning in regard to kerberised /sbin/login.  BTW, do people
ever try to do kerberised gdm/xdm without PAM?

> My BIG problem with OpenSSH today is that it's damn hard to get out a
> useful Kerberos error (I had a discussion about this with Simon Wilkinson
> at the AFS Workshop - it's sort of inherent in the current architecture
> of OpenSSH).  This isn't a speculative problem; I had a bunch of users for
> whom GSSAPI-OpenSSH simply would not work, and we could never get an
> error out.  After a while of trying to debug it, I eventually gave up
> and told the people that they should just use one of the other Kerberos
> utilities for login (which worked fine, from what I remember).
> 
> Telnet is unfortunately a mess, but the Kerberized r-commands are
> relatively simple in terms of both protocol and implementation.  If I
> need to add support to a particular implementation of rlogin, the work
> I need to do is relatively straightforward.  Telnet is more of a pain,
> but it's not awful.  And if I need to do some custom authorization checks
> on the backend (which I have to do a lot, unfortunately), this is relatively
> easy to add to telnetd & rlogind.  Putting this in OpenSSH ends up
> being a huge mess.

Now I know the world doesn't run PAM, but isn't that the place for a PAM
account module?  (Perhaps one of the few things PAM does particularly
well).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu.ezproxyberklee.flo.org/pipermail/krbdev/attachments/20050707/62bf9ff3/attachment.bin

More information about the krbdev mailing list