On Wed, 2005-07-06 at 10:57 -0400, Ken Hornstein wrote: > >As a relative newcomer to the kerberos world, I'm wondering what the > >future of tools like kerberised telnet, rsh, ftp and the like is. It > >seems from my viewpoint that OpenSSH (with the gssapi mode) and things > >like pam_krb5 have taken over from these tools. > > Not from my perspective (and how does pam_krb5 fit in with Kerberized > telnet/rsh/ftp ?) That I was meaning in regard to kerberised /sbin/login. BTW, do people ever try to do kerberised gdm/xdm without PAM? > My BIG problem with OpenSSH today is that it's damn hard to get out a > useful Kerberos error (I had a discussion about this with Simon Wilkinson > at the AFS Workshop - it's sort of inherent in the current architecture > of OpenSSH). This isn't a speculative problem; I had a bunch of users for > whom GSSAPI-OpenSSH simply would not work, and we could never get an > error out. After a while of trying to debug it, I eventually gave up > and told the people that they should just use one of the other Kerberos > utilities for login (which worked fine, from what I remember). > > Telnet is unfortunately a mess, but the Kerberized r-commands are > relatively simple in terms of both protocol and implementation. If I > need to add support to a particular implementation of rlogin, the work > I need to do is relatively straightforward. Telnet is more of a pain, > but it's not awful. And if I need to do some custom authorization checks > on the backend (which I have to do a lot, unfortunately), this is relatively > easy to add to telnetd & rlogind. Putting this in OpenSSH ends up > being a huge mess. Now I know the world doesn't run PAM, but isn't that the place for a PAM account module? (Perhaps one of the few things PAM does particularly well). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc. http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
This is a digitally signed message part