My site uses Kerb 4 (actually AFS) for virtually all authentication. No
users have local passwords on machines.
We'd like to start allowing SSH2 connections, but OpenSSH 2.3.0p1 will not
authenticate Kerberos passwords for SSH2 connections. In auth2.c:
#ifdef KRB4
/* turn off kerberos, not supported by SSH2 */
options.kerberos_authentication = 0;
#endif
If I remove this snippet of code, then all works as expected and SSH2 users
can authenticate. Why is this code here? Will I open a security hole by
removing the code? I understand that ticket-forwarding, etc won't work.
-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 284 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010111/edf2fab2/attachment.bin
On Thu, Jan 11, 2001 at 02:42:51PM -0500, Kevin Sullivan wrote:> #ifdef KRB4 > /* turn off kerberos, not supported by SSH2 */ > options.kerberos_authentication = 0; > #endif > > If I remove this snippet of code, then all works as expected and SSH2 users > can authenticate. Why is this code here? Will I open a security hole by > removing the code? I understand that ticket-forwarding, etc won't work.you cannot remove this code and expect to automagically get a full implementation of kerberosIV + SSH2. until recently, there was no spec for kerberos over SSH2. but perhaps kerberos-password authentication works, this needs to be tested... -markus