[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Sam Hartman <hartmans@mekinok.com>] Handling ssh

>>>>> "Matthew" == Matthew Vernon <matthew@debian.org> writes:

    Matthew> What currently is the problem with the kerberos support
    Matthew> in the openssh source?

1) It does not even attempt to support draft-ietf-secsh-gss-keyex,
    which is really the direction Kerberos ssh should go in.

2) The support of krb5 for sshv1 is broken.  See the patches I point
    to in my ITP for some of the problems.

3) Even if it worked as designed, it is not interoperable with the
   Kerberos ticket forwarding in ssh-nonfree.  That's sort of
   unfortunate as that style of Kerberos support is in wide use.




    Matthew> I think ideally, one source package that produces
    Matthew> multiple binary packages is really what we want. Writing
    Matthew> the rules file would be fun, though :)

Once all the patches are integrated upstream I think that one binary
package is ideal.  I really dislike build systems that patch source at
build time, so I'd recommend two source packages until upstream
accepts the patches.

There is work in the Kerberos community outside Debian to get these
patches merged.
Reply to: