[19152] in Kerberos
Re: gssapi/openssh
daemon@ATHENA.MIT.EDU (Simon Wilkinson)
Wed Apr 30 13:36:42 2003
From: Simon Wilkinson <sxw@warspite.inf.ed.ac.uk>
Date: Wed, 30 Apr 2003 18:25:47 +0100
Message-ID: <Pine.LNX.4.44.0304301819480.7976-100000@warspite.inf.ed.ac.uk>
To: kerberos@MIT.EDU
Errors-To: kerberos-bounces@mit.edu
On Wed, 30 Apr 2003, peter duff wrote:
> I have patched openssh 3.4p1 with simon's gssapi patch, (great job by the
> way).
There'll be a patch for openssh 3.6.1p2 available in the next few days.
This brings the patch up to compliance with the latest version of the
draft, as well as fixing some encoding issues.
> 1. Does the ssh client support running kinit (locally) to first attempt to
> get a tgt if one doesnt exist?
No, it doesn't. Philosophically, I don't think that its the job of the
client to go out and get credentials, if none exist. Practically, doing
so would require the client to know about the underlying GSSAPI mechanism,
which at present it doesn't need to.
> 2. I discovered that if I "ssh localhost", and principal of host/localhost
> is requested from the TGS. This is clearly not desired, but makes perfect
> sense.
I'm looking at a patch which would fix this behaviour. However, I'm
concerned
a) That the current behaviour satisfies the principle of least
astonishment. If the user typed 'ssh localhost', then that might be
what they meant.
b) That there may be GSSAPI mechanisms where 'ssh localhost' actually
makes sense
Cheers,
Simon.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
