similar to: Kerberos V patches for OpenSSH

I note with interest that Kerberos support is now available (for the version 1 protocol, at least) in OpenSSH 2.9.9p2. However, it does not build with MIT Kerberos, due to the usual Heimdal/MIT library differences. These look, by and large, like the same problems I encountered when porting Dan Kouril's patch to MIT Kerberos - so I'm having a go at fixing them (my GSSAPI patches need

Hi, Just wondering if anyone was looking at implementing draft-ietf-secsh-gsskeyex-00 in OpenSSH? My patches for SSH version 1 Kerberos 5 support (heavily based upon work done by Dan Kouril) are now available from http://www.sxw.org.uk/computing/patches/ Is there any interest in integrating these into the distribution? If so, I'd be happy to update them to the development version. Cheers,

Hi I'd also like to express interest in Simon's kerb 5 patches being integrated into the openssh distribution. Are there currently any plans for this to happen and if so, what's the expected time frame? Ben. Simon Wilkinson <sxw at dcs.ed.ac.uk> wrote: > My patches for SSH version 1 Kerberos 5 support (heavily based upon > work done by Dan Kouril) are now available from

Dear Sir and Madam: I'm writing to you on behalf of the MIT Kerberos team and several other parties interested in the availability of Kerberos authentication for the SSH protocol. We recently noticed that the OpenSSH developers had added support for the kerberos-2 at ssh.com user authentication mechanism. We are delighted but we believe additional steps are necessary, as explained

In do_authloop() in auth1.c(), the Kerberos 4 and 5 code both allocate, then xfree() the client_user string. The call to do_pam_account() later in the function then tries to use this string, resulting in a corrupt remote user. Finally, before exiting, the function frees client_user again, resulting in a double free and much mess. Patch attached. Cheers, Simon. -- Simon Wilkinson

Hello, I have a little question and this regarding the compilation of the latest release of OpenSSH on a Linux Slackware version 8 box. We are currently using Kerberos 5 for user authentification and I saw that in SSH there is only an option to configure called: --with-kerberos4, so my question is: what do I need to do to get Kerberos 5 support into OpenSSH ? I am using the MIT kerberos version

An updated version of my patch for Kerberos v5 support is now available from http://www.sxw.org.uk/computing/patches/openssh-2.5.2p1-krb5.patch This patch includes updated Kerberos v5 support for protocol version 1, and also adds GSSAPI support for protocol version 2. Unlike the Kerberos v5 code (which will still not interoperate with ssh.com clients and servers), the GSSAPI support is based on

Now that RFC 4462 has been published, I was wondering if there would be any interest in looking again at integrating the key exchange portions of my GSSAPI patch into the OpenSSH tree? As I've mentioned before, key exchange has significant benefits for large sites as it allows them to use Kerberos to authenticate ssh hosts, and removes the need to maintain and distribute ssh known_hosts

The following patch *) Adds a configure option to turn on the existing Kerberos v5 support in the portable version *) Extends the code to support MIT Kerberos in addition to Heimdal The patch is against the current CVS tree. I've tested it against MIT Keberos 1.2.2, I'd appreciate it if someone could confirm that Heimdal works with the portable configuration stuff. Coming RSN -

An updated version of my GSSAPI patches for OpenSSH 2.9p1 is finally available from http://www.sxw.org.uk/computing/patches/openssh.html These patches fix a bug with the hash calculation which will break interoperation with earlier versions - sorry! This release supports both Kerberos and GSI (thanks to Von Welch for the GSI support) mechanisms, and the code in it has now been widely tested

I've now completed updating my patches for GSSAPI in protocol v2 to OpenSSH 3.1p1 See http://www.sxw.org.uk/computing/patches/openssh.html As previously, you will need to apply the protocol v1 krb5 patch before the GSSAPI one, and run autoreconf from an autoconf later than 2.52 There are a number of improvements and minor bug fixes over previous patches. However, due to protocol changes this

The attached patch adds support for Heimdal and MIT Kerberos in protocol v1 in the portable code. The Heimdal side of things just enables the code that's present in OpenBSD's 3.0 release, the MIT specific code adds compatibility for those areas in which the Heimdal API differs. This adds a new configuration option --with-kerberos5=<path>, which will detect which version of the

(I hope this message is appropriate for these lists. If not, please tell me and I won't do it again.) Hi All. There will be a new release of OpenSSH in a couple of weeks. This release contains Kerberos and GSSAPI related changes that we would like to get some feedback about (and hopefully address any issues with) before the release. I encourage anyone with an interest in

Thanks to Simon Wilkinson for getting Kerberos working in OpenSSH. Changes: *openssh.spec file has been updated to use the kerberos patches based on the existence of krb5-devel rpm *added sshd-krb5.pam to contrib/redhat. This file enables the sshd to accept password auth, and check the password against the KDC. *Bumped the OpenSSH rpm build version to 3. *added sshd-krb5.pam install to

Hi, This is just a quick note to let people know that I've _almost_ got Kerberos V5 working based on the patches posted to this list. I'm currently at the stage where Kerberos principals can be used to verify logins (ie Kerberos credentials are correctly passed), but I haven't (yet) got ticket forwarding to work - this is the next step! I've taken the original patches and updated

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm pleased to (finally) announce the availability of my GSSAPI Key Exchange patch for OpenSSH 4.7p1. Whilst OpenSSH contains support for doing GSSAPI user authentication, this only allows the underlying security mechanism to authenticate the user to the server, and continues to use SSH host keys to authenticate the server to the

https://bugzilla.mindrot.org/show_bug.cgi?id=928 --- Comment #9 from Darren Tucker <dtucker at zip.com.au> 2010-01-11 17:11:06 EST --- Created an attachment (id=1775) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1775) sshd-gssapi-multihomed.patch I updated patch #1182 to OpenBSD current and fixed a few minor whitespace things. I also removed this warning from the man page:

Versions: openssh-3.8p1-33, heimdal-0.6.1rc3-51, XFree86-4.3.99.902-40, tk-8.4.6-37, all from SuSE 9.1 (unhacked); back-version peers have openssh-3.5p1, XFree86-4.3.0-115, etc. from SuSE 8.2. Symptoms: 1. When the client and server versions are unequal, the Kerberos ticket is not accepted for authentication. All the clients have PreferredAuthentications gssapi-with-mic, gssapi, others. 2.

I've updated the Kerberos v5 support patches I'm maintaining to work with OpenSSH 2.5.1p1. They're available for download from http://www.sxw.org.uk/computing/patches/ In addition to the upgrade from 2.3.0p1 to 2.5.1p1, there's a minor bug fix - KRB5CCNAME was being set to "" if ticket forwarding failed, which confused some utilities. Please note that these patches

http://bugzilla.mindrot.org/show_bug.cgi?id=928 simon at sxw.org.uk changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |simon at sxw.org.uk ------- Comment #2 from simon at sxw.org.uk 2006-08-19 08:31 ------- I'd rather see us move towards just using