After reading some more from the archives, a private email, and some general research, I see that KerbV support has been dropped in favor of GSSAPI. Which is fine, and wonderful, I support GSSAPI. But, erm, the announcement says, "This release contains some GSSAPI user authentication support to replace legacy KerberosV authentication support. At present this code is still considered experimental and SHOULD NOT BE USED." Confidence inspiring! =) At USC, we are currently using (patched) 3.6.1p2 which has TGT passing support in kerb1, which is kinda nice - but doesn't seem to work right with kerberos password authentication via pam. 3.7.1p2 seems to support the latter, but drops the former. For those who have used the GSSAPI stuf in 3.7.1 - have you found it stable? When is this code supposed to be considered stable? I don't seem to see a way to use/try this code at all. I don't see any docs on it anywhere... am I being blind? Thanks, -- Phil Dibowitz phil at ipom.com Freeware and Technical Pages Insanity Palace of Metallica http://www.phildev.net/ http://www.ipom.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040209/191b42ef/attachment.bin
On Mon, 9 Feb 2004, Phil Dibowitz wrote:> But, erm, the announcement says, "This release contains some GSSAPI > user authentication support to replace legacy KerberosV authentication > support. At present this code is still considered experimental and > SHOULD NOT BE USED."The code drop of GSSAPI support into OpenSSH coincided with major revisions to the Internet-Draft on which it was based. These revisions were to address concerns about the lack of linking between the GSSAPI context and OpenSSH's session identifiers. These concerns applied equally to the Kerberos V code which was in early versions of OpenSSH. The GSSAPI code in 3.7.1 is based on the pre-revision protocol. CVS has an implementation of the newest I-D, which overcomes these issues. It should be noted that implementations based on the earlier I-Ds are _not_ compatible with those using the newest ones. If you can wait, wait for the 3.7.2 codebase.> For those who have used the GSSAPI stuf in 3.7.1 - have you found it > stable?I've been distributing patches implementing GSSAPI support for several years now, and they're fairly widely deployed. Unfortunately I don't believe they can be considered 'stable' until the I-D upon which they're based makes it through to an RFC. If you want to try out the code in 3.7.1 (and I'd really recommend waiting for 3.7.2 for production use), you need to turn on 'GSSAPIAuthentication' in both the client and the server. Cheers, Simon.
sxw at inf.ed.ac.uk wrote:> It should be noted that implementations based on the earlier I-Ds are > _not_ compatible with those using the newest ones. If you can wait, wait > for the 3.7.2 codebase.FYI It will probably be called 3.8 rather then 3.7.2. -d
Damien Miller wrote:> > FYI It will probably be called 3.8 rather then 3.7.2.This might be a bad question to ask... but is there an _approximate_ ETA on 3.7.2/3.8 ? -- Phil Dibowitz phil at ipom.com Freeware and Technical Pages Insanity Palace of Metallica http://www.phildev.net/ http://www.ipom.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040210/d6d54c9b/attachment.bin
Phil Dibowitz wrote:> Damien Miller wrote: > >>FYI It will probably be called 3.8 rather then 3.7.2. > > > This might be a bad question to ask... but is there an _approximate_ ETA > on 3.7.2/3.8 ?Very soon - by the end of the month, if not sooner. Please grab a snapshot and test - they are very stable. -d