[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kerberos support in ssh/lsh

To: Ken Raeburn <raeburn@MIT.EDU>
Subject: Re: kerberos support in ssh/lsh
From: nisse@lysator.liu.se (Niels Möller)
Date: 05 Oct 2000 11:05:59 +0200
Cc: heimdal-discuss@sics.se, bg@sics.se
In-Reply-To: Ken Raeburn's message of "04 Oct 2000 14:44:04 -0400"
References: <nn8zs4vio4.fsf@sture.lysator.liu.se> <tx17l7ozbt7.fsf@mit.edu>
Sender: owner-heimdal-discuss@sics.se

Ken Raeburn <raeburn@mit.edu> writes:

> nisse@lysator.liu.se (Niels Mvller) writes:
>
> > An implementation problem is that lshd is a single server; it doesn't
> > fork until it spaws a shell for a successfully logged in user. So it
> > can't use calls like krb5_get_kdc_cred that ultimately blocks when
> > waiting for a reply from the kdc. I can see at least three different
> > approaches:
> 
> Okay, I've missed something ... why is it bad to block, as long as the
> timeout isn't infinite?  (Would it help if the timeout could be
> controlled by the application?)  The delay should be very short (under
> a second) if all the KDCs are available.

Then all other connection handled by the server will stall while the
server is waiting for the kdc:s. It seems a lot nicer and more robust
to (i) allow kdc:s a reasonable time to respond (at least several
seconds), and (ii) continue doing other useful things while waiting.

> Tatu was working on a design for this as well, though his first
> proposal presented at the last IETF meeting had some problems, and I
> haven't seen anything else since.  I don't follow ssh lists other than
> the IETF SecSh WG list though.

I haven't yet seen any internet-draft for this. I believe it is wise
not to try to hack it into lsh until Tatu or somebody else that is
knows both kerberos and ssh writes up a spec. Unfortunately I couldn't
attend that IETF meeting.

> One big benefit of this would be, if you've already got a Kerberos
> infrastructure deployed and are adding ssh, you can do mutual
> authentication with Kerberos and should be able to do away with the
> "add this host key" question that many people simply answer "yes" to
> without verifying the data through independent and secure means.

Yes, I imagine that some kerberos operations whould replace the normal
ssh key exchange and user authentication (actually, I have hacked srp
support in a similar way: When use of srp is negotiated, it provides
all of key exchange, host and user authentication, replacing the
normal ssh mechanisms).

/Niels

References:
- kerberos support in ssh/lsh
  - From: nisse@lysator.liu.se (Niels Möller)
- Re: kerberos support in ssh/lsh
  - From: Ken Raeburn <raeburn@MIT.EDU>

Prev by Date: Re: kerberos support in ssh/lsh
Next by Date: Re: Problem with ftp from 0.3c to 0.3b
Prev by thread: Re: kerberos support in ssh/lsh
Next by thread: Re: kerberos support in ssh/lsh
Index(es):
- Date
- Thread