[OpenAFS] arg, ssh and afs was the subject

Jeffrey Hutzelman jhutz@cmu.edu
Tue, 24 Jul 2001 00:10:41 -0400 (EDT)


On Tue, 17 Jul 2001 Peter.Kelemen@cern.ch wrote:

> * Charles Clancy (mgrtcc@cs.rose-hulman.edu) [20010717 09:32]:
> 
> > As far as I know, OpenSSH will only forward K4 TGTs, not K5 ones:
> > /usr/src/openssh-2.9p1$ ./configure --help | egrep -i "kerb|afs"
> >   --with-kerberos4=PATH   Enable Kerberos 4 support
> >   --with-afs=PATH         Enable AFS support
> 
> A fellow sysadmin has written a patch to add Kerberos 5 support
> for OpenSSH-2.5.2p2.  You might try this, although it has never
> been tested with OpenAFS.  We use this patch in a production
> environment among AIX4 and Linux2 clients with Heimdal 0.3d.
> http://people.inf.elte.hu/gombasg/patches/openssh-krb5.2001-04-05

I was kind of hoping someone else would say this, but...

Please don't deploy this code in new production environments.  While there
is probably nothing fundamentally wrong with it (I haven't read the code
in enough detail to say for certain), it implements a protocol that is
not and probably never will be standardized, which means that by using it,
you are sacrificing interoperability with other sites.  A better solution
is to use GSSAPI-based authentication, which is more general (in that it
can support multiple underlying mechanisms) and the subject of ongoing
standards work.  Other on this list have mentioned Simon Wilkinsen's work
in implementing the GSSAPI-based authentication methods in OpenSSH.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA