openssh bugs - May 2007 - [Bug 1312] Add short command-line option -K for activating GSSAPIDelegateCredentials

http://bugzilla.mindrot.org/show_bug.cgi?id=1312

           Summary: Add short command-line option -K for activating
                    GSSAPIDelegateCredentials
           Product: Portable OpenSSH
           Version: 4.4p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Kerberos support
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: Markus.Kuhn at cl.cam.ac.uk


I would like to propose the addition of a new command-line option to
the OpenSSH client program "ssh":

  -K  Enables both GSSAPI authentication and forwarding of
      GSSAPI credentials to server (equivalent to options
      GSSAPIAuthentication=yes and GSSAPIDelegateCredentials=yes)

Reason:

When logging in to servers that use Kerberized NFS, it is not possible
to use publickey authentication, because ~/.ssh/authorized_keys is not
available at the time of login. In such environments, which become
increasingly common due to security worries about the risks of
unauthenticated NFS, GSSAPI/Kerberos has to be used both to
authenticate the login and to enable the server to access my home
directory. In such an environment, the two command-line options

  -o GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=yes

are practically as important as, for example, -X for forwarding X11.
Unfortunately, there exists currently no convenient short command-line
option to activate this function. What I propose is basically the
Kerberos equivalent of the two X11-forwarding options -x (disable) and
-X (enable). The option -k (disable Kerberos ticket forwarding) does
already exist, so adding -K (enable Kerberos forwarding) is the obvious
and intuitive choice here.

Like with X11 forwarding (-X), there may be good security reasons for
not enabling Kerberos ticket forwarding by default, therefore it would
be very useful to have a -K to enable Kerberos ticket forwarding on
demand only where it is appropriate.

Since Kerberos-based authentication is much faster than public-key
based authentication, wherever someone is interested in forwarding a
Kerberos ticket to a server, they will almost certainly also prefer to
use that ticket for login authentication as well. This is why I propose
that -K should enable *both* GSSAPIAuthentication=yes and
GSSAPIDelegateCredentials=yes. I can't see a common scenario where you
would want to have the latter without the former.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1312


Simon Wilkinson <simon at sxw.org.uk> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |simon at sxw.org.uk




--- Comment #1 from Simon Wilkinson <simon at sxw.org.uk>  2007-05-11
17:16:04 ---
I like the idea of having a -k flag. Historically this used to exist
for the protocol version 1, and it would be good to add it in the
version 2.

However, I'm not sure what the politics of doing this would be - the
option namespace is obviously limited. Do you have a patch that could
be considered?

Finally, I don't think there's any situation in which
GSSAPIDelegateCredentials could be legitimately used when
GSSAPIAuthentication isn't.

Simon.


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

http://bugzilla.mindrot.org/show_bug.cgi?id=1312





--- Comment #2 from Markus Kuhn <Markus.Kuhn at cl.cam.ac.uk>  2007-05-12
23:00:49 ---
Created an attachment (id=1279)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1279)
Patch adding option -K to enable GSSAPI auth. and cred. forwarding

Here is the very simple and straight-forward patch (against
openssh-4.6p1) that adds the suggested option -K.


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.