bugzilla-daemon at mindrot.org
2007-May-06 12:36 UTC
[Bug 1312] Add short command-line option -K for activating GSSAPIDelegateCredentials
http://bugzilla.mindrot.org/show_bug.cgi?id=1312 Summary: Add short command-line option -K for activating GSSAPIDelegateCredentials Product: Portable OpenSSH Version: 4.4p1 Platform: All OS/Version: Linux Status: NEW Severity: enhancement Priority: P2 Component: Kerberos support AssignedTo: bitbucket at mindrot.org ReportedBy: Markus.Kuhn at cl.cam.ac.uk I would like to propose the addition of a new command-line option to the OpenSSH client program "ssh": -K Enables both GSSAPI authentication and forwarding of GSSAPI credentials to server (equivalent to options GSSAPIAuthentication=yes and GSSAPIDelegateCredentials=yes) Reason: When logging in to servers that use Kerberized NFS, it is not possible to use publickey authentication, because ~/.ssh/authorized_keys is not available at the time of login. In such environments, which become increasingly common due to security worries about the risks of unauthenticated NFS, GSSAPI/Kerberos has to be used both to authenticate the login and to enable the server to access my home directory. In such an environment, the two command-line options -o GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=yes are practically as important as, for example, -X for forwarding X11. Unfortunately, there exists currently no convenient short command-line option to activate this function. What I propose is basically the Kerberos equivalent of the two X11-forwarding options -x (disable) and -X (enable). The option -k (disable Kerberos ticket forwarding) does already exist, so adding -K (enable Kerberos forwarding) is the obvious and intuitive choice here. Like with X11 forwarding (-X), there may be good security reasons for not enabling Kerberos ticket forwarding by default, therefore it would be very useful to have a -K to enable Kerberos ticket forwarding on demand only where it is appropriate. Since Kerberos-based authentication is much faster than public-key based authentication, wherever someone is interested in forwarding a Kerberos ticket to a server, they will almost certainly also prefer to use that ticket for login authentication as well. This is why I propose that -K should enable *both* GSSAPIAuthentication=yes and GSSAPIDelegateCredentials=yes. I can't see a common scenario where you would want to have the latter without the former. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.mindrot.org
2007-May-11 07:16 UTC
[Bug 1312] Add short command-line option -K for activating GSSAPIDelegateCredentials
http://bugzilla.mindrot.org/show_bug.cgi?id=1312 Simon Wilkinson <simon at sxw.org.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |simon at sxw.org.uk --- Comment #1 from Simon Wilkinson <simon at sxw.org.uk> 2007-05-11 17:16:04 --- I like the idea of having a -k flag. Historically this used to exist for the protocol version 1, and it would be good to add it in the version 2. However, I'm not sure what the politics of doing this would be - the option namespace is obviously limited. Do you have a patch that could be considered? Finally, I don't think there's any situation in which GSSAPIDelegateCredentials could be legitimately used when GSSAPIAuthentication isn't. Simon. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-May-12 13:00 UTC
[Bug 1312] Add short command-line option -K for activating GSSAPIDelegateCredentials
http://bugzilla.mindrot.org/show_bug.cgi?id=1312 --- Comment #2 from Markus Kuhn <Markus.Kuhn at cl.cam.ac.uk> 2007-05-12 23:00:49 --- Created an attachment (id=1279) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1279) Patch adding option -K to enable GSSAPI auth. and cred. forwarding Here is the very simple and straight-forward patch (against openssh-4.6p1) that adds the suggested option -K. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
Reasonably Related Threads
- [Bug 944] ssh_config missing default configuration values for GSSAPI
- Problems with Krb5/GSSAPI patches in FBSD 4.3
- [Bug 944] ssh_config missing default configuration values for GSSAPI
- [PATCH] ssh_config: reflect default CheckHostIP no
- Kerberos in OpenSsh 2.9.9p2