Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Encryption Security Operating Systems BSD

Kerberos Support In OpenSSH 122

Dan writes "Marshall Vale writes on behalf of the MIT Kerberos team and several other parties interested in the availability of Kerberos authentication for the SSH protocol. Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. Marshall says that Kerberos support within OpenSSH may be incomplete and needs more work. In particular, implementing draft-ietf-secsh-gsskeyex in addition to any other Kerberos mechanisms will better serve the needs of Kerberos community. Secondly, he says that they would like to reduce user confusion associated with all of the different options for Kerberos and SSH. He suggests adoption of the GSSAPI key exchange mechanism in the IETF draft (which uses Kerberos to authenticate both parties to each other), in order to avoid man-in-the-middle attacks."
This discussion has been archived. No new comments can be posted.

Kerberos Support In OpenSSH

Comments Filter:
  • sad. (Score:1, Funny)

    by Anonymous Coward
    What's sad is that at first glance I thought draft-ietf-secsh-gsskeyex said goatsecx. It is quite a jumble of acronyms, isn't it though?
  • RSA? (Score:3, Insightful)

    by paranode ( 671698 ) on Monday June 30, 2003 @08:44AM (#6330204)
    Is there any advantage to using this over the already-usable RSA key authentication in SSH?
    • Re:RSA? (Score:5, Insightful)

      by Mark Bainter ( 2222 ) on Monday June 30, 2003 @09:14AM (#6330416)
      Yes. Scenario: 500 *nix servers, team of 10 administrators. Solution 1: Each user gets a login created on each machine, and then they login, create an ssh key, and distribute the public key to all other machines. Later, when that person leaves, all those keys and all those user accounts get deleted. (Given, you could use NIS/LDAP/etc to try and alleviate the user-account side of the issue. But you didn't mention that as part of your RSA solution, and note that each of these solutions has potential inherent security problems.) Solution 2: Setup kerberos. Authenticate all users for all machines securely from one location. Add and delete user accounts from one location.
      • Re:RSA? (Score:3, Insightful)

        Solution 2: Setup kerberos. Authenticate all users for all machines securely from one location. Add and delete user accounts from one location.

        Depends what you means by "accounts". Any way you look at it, you'll want to set up something like LDAP for distributing the equivalent of /etc/passwd data. Kerberos gives you user authentication, and the ability to disable user accounts globally -- though not within the ticket lifetime! Kerberos doesn't give you much in the way of provisioning accounts, whic

    • Re:RSA? (Score:5, Informative)

      by hbo ( 62590 ) * on Monday June 30, 2003 @09:16AM (#6330421) Homepage
      The main advantage of using Kerberos for key exchange is the elimination of the known_hosts file, and the tendency for ssh users to accept any
      old key offered by the server the first time they connect. This common behavior exposes the user to the risk of man-in-the-middle attacks. If I've tricked your stack into connecting to me instead of the host you thought you were getting, I can spoof both ends of the connection and intercept your traffic in the clear. Also, Kerberos authentication is two-way (server to client AND client to server)
      • Re:RSA? (Score:3, Interesting)

        The main advantage of using Kerberos for key exchange is the elimination of the known_hosts file, and the tendency for ssh users to accept any old key offered by the server the first time they connect. This common behavior exposes the user to the risk of man-in-the-middle attacks. If I've tricked your stack into connecting to me instead of the host you thought you were getting, I can spoof both ends of the connection and intercept your traffic in the clear.

        Sadly, recent implementations of MIT Kerberos au

        • Re:RSA? (Score:2, Informative)

          Sadly, recent implementations of MIT Kerberos automatically reverse DNS names. So, if I can spoof the user's target DNS name to point to my blackhat machine, the Kerberos libraries will cheerfully reverse my IP address to get the Kerberos principle for authentication.

          But what does that buy you? I assume that a KDC must encrypt part of it's reply with the host principal's secret key that must also be stored and read from a local keytab file that typically only root can update. How can you spoof this part
          • I assume that a KDC must encrypt part of it's reply with the host principal's secret key that must also be stored and read from a local keytab file that typically only root can update.


            Sure, so the blackhat machine must have a host principal. That might be secure enough in a small environment. In an enterprise, it's not. You can't guarantee that the trustworthiness of every machine in an enterprise. If you could, you would need Kerberos much less.

            :w

        • That still doesn't get you anywhere unless you manage to subvert the host key of some machine that's a member of the Kerberos realm. Once an attacker has managed to compromise both a host key and the DNS, yes, it's possible to fool a client; but an almost equivalent exploit is possible with non-Kerberized ssh as well.
    • Re:RSA? (Score:3, Informative)

      by coyote-san ( 38515 )
      Yes. Many of them.

      SSH is great for what it does, but it really doesn't do that much. Most people don't notice this since they don't need it to do much - for them it's just a better telnet.

      But it scales horribly, look at the other comments.

      Worse, SSH drops authentication information. This doesn't sound like much until you've worked in an environment where clients and servers can perform mutual authentication "beneath the surface," but once you have going back is painful.
    • Re:RSA? (Score:4, Informative)

      by The Vorlon ( 15731 ) on Monday June 30, 2003 @09:44AM (#6330703)

      If you're deploying SSH in an environment that already uses Kerberos, there absolutely is an advantage. GSSAPI external key exchange means that, if you're authenticated to the Kerberos realm, you have tickets that will let you connect to any other machine in the realm (or in a trusted realm) without having to do out-of-band verification of the RSA key's fingerprint.

      With traditional RSA key authentication in SSH, the security of the SSH connection requires that either the user is diligent enough to check every new RSA fingerprint when it pops up, or that the site admin has stored all of the machine fingerprints in /etc/ssh/ssh_known_hosts. With Kerberos, mutual authentication is done for you. This is a very big advantage for anyone with a lot of machines, particularly if Kerberos is in use anyway.

    • Re:RSA? (Score:2, Informative)

      by yandros ( 38911 )
      Kerberos is used (although not as uniformly as might be wished) in a few decent remote filesystems as well. This can be a real boon for such setups (which should be more common, IMHO). Without it, you can get a secure login to a remote machine, but still need to provide that machine with an authenticator for secure network services (such as afs, nfs, ftp, imap, etc.).

      At MIT, at least a year or two back, we had people using a mixture of ssh and kerberized rlogin just to deal with the ticket-forwarding iss
  • ssh and telnet (Score:3, Interesting)

    by ih8apple ( 607271 ) on Monday June 30, 2003 @08:47AM (#6330222)
    To avoid moronic passwords being captured over cleartext telnet or ftp sessions, I think telnet and ftp should be disabled across the world with very limited exceptions. All UNIX and Linux distros should have cleartext protocols disabled by default. Once one account is comprised, the rest of a system usually goes very easily. Regardless of adding Kerberos support in OpenSSH, any kind of ssh or sftp connection immediately improves the worldwide crackability situation. (and yes, I just made up the word crackability=ease of access for crackers)
    • Re:ssh and telnet (Score:2, Insightful)

      by Anonymous Coward
      We'd also better disable ESMTP and POP3 too. You don't mind waiting for your mail while we write a secure replacement, do you?
      • Re:ssh and telnet (Score:5, Insightful)

        by Surak ( 18578 ) * <{moc.skcolbliam} {ta} {karus}> on Monday June 30, 2003 @08:54AM (#6330270) Homepage Journal
        Secure IMAP with Kerberos support. :-P

        • Re:ssh and telnet (Score:2, Informative)

          by oddityfds ( 138457 )
          There's KRB5/GSSAPI/IMAP support in Ximian Evolution nowadays. You need version 1.2.4 or later. It's enabled in the binaries for RHL9 from Ximian. A nice single-sign-on mail solution for sites with a Kerberos infrastructure.
      • Re:ssh and telnet (Score:3, Informative)

        by lysander ( 31017 )
        there exists kerberos authenticated SMTP and also kerberos authenticated POP (KPOP). both are in use at MIT, but the former is a relatively new service.
      • by drasfr ( 219085 ) <revedemoi@@@gmail...com> on Monday June 30, 2003 @09:33AM (#6330587)
        Well, Pop3 can be fairly secure, pop3 over ssl.

        I have my own SMTP & pop3 server, and I have compiled my POP3 daemon with ssl support, and I use outlook to connect, securely on pop3, at least no cleartext password exchange there.
        Althought it doesn't change anything in the man-in-the-middle problem.
        One problem only, as the SSL certificate has been signed by myself, when outlook reconnect to the server first time it is run, it says the certificate is unknown.
        • The problem with protecting a generic connection with SSL is that the password is actually passed over the connection. This means if the SSL is ever comprimised it would be fairly simple to crack the password. Use of Strong Authentication mechanisms such as SRP eliminates this problem.
      • SMTP doesn't have passwords at all, and POP3 (like IMAP) can be run over SSL in a standard way. SMTP can't be made more "secure" in any particularly clear sense, because it doesn't involve any recipient authentication (in any case, the most common reason for the wrong person getting an email message is that it's sent to the wrong address, and delivered correctly).
    • Re:ssh and telnet (Score:5, Insightful)

      by jarkko ( 40871 ) on Monday June 30, 2003 @08:57AM (#6330292) Homepage
      All UNIX and Linux distros should have cleartext protocols disabled by default.

      I still use telnet, ftp and even rsh as well and I don't feel insecure about it. Transport-mode IPSec between hosts really helps a lot here...

      The "moronic passwords"-issue comes mainly from pop3 and different web-sessions these days. What the world really needs is opportunistic IPSec.
      • Re:ssh and telnet (Score:3, Informative)

        by killmenow ( 184444 )
        What the world really needs is opportunistic IPSec.
        Done. [freeswan.org]
        • Re:ssh and telnet (Score:3, Informative)

          by noahm ( 4459 )
          Part of what you need in a security system is a guarantee that a communications session will be encrypted. Without that guarantee, you can not trust the connection. Opportunistic IPsec does not provide you with any guarantee that communication with a given host is encrypted. If possible, it will be, but it just as well may not.

          One must understand the rationale for developing opportunistic encryption. It is not to provide for secure communication. It exists to clog the spooks' sniffers with as much un

    • Re:ssh and telnet (Score:5, Insightful)

      by isa-kuruption ( 317695 ) <kuruption AT kuruption DOT net> on Monday June 30, 2003 @09:04AM (#6330349) Homepage
      I will paraphrase a quote from Mr Bruce Schneier:

      "No matter what security measures you implement, the end users are still the weakest link in the chain."

      I think it speaks for itself. Passwords can be brute forced via secure protocols as well. Passwords can be copied from stick-it notes on people's monitors, or from knowing their maiden name.

      While cleartext protocols should be disabled, many places use them... a LOT. And while I know SSH can replace most of their functionality, many places have scripts that have been running for years that would need man power to rewrite (even if changing only one line) which makes it difficult for many organizations decide this is a priority.

      Heck, I had a hell of a time convincing our organization to move from SSHv1 to SSHv2 due to the man-in-the-middle attacks.
      • Passwords can be copied from stick-it notes on people's monitors, or from knowing their maiden name.

        I tell you, I have no stick-it notes on my monitor, and I am not married. Now you tell me, what is the new password I got from /dev/random yesterday?
        • Congratulations. You are not a retard.

          However when it comes to passwords most of the people on a corporate network will be, and it doesn't have to be *your* password I crack, just *a* password.
    • Crackability. Sounds like a word nabisco would use.

      "Ritz.. now with more crackability." /bored
    • I think telnet and ftp should be disabled across the world with very limited exceptions. All UNIX and Linux distros should have cleartext protocols disabled by default.

      I would agree 100% with this, some *NIX flavours do this already, notable NetBSD and OpenBSD, and I suspect FreeBSD does also, though TBH that's guessing. With SSH available there really is no need that I can think of off hand (I'm sure someone can think up a counter argument) for telnet to still exist, and the only reason for plain ftp to
      • I know that telnet is still necessary in some settings due to legacy accounting systems (the particular one I have in mind is by HP, IIRC) that simply don't have a replacement. It can also be used to remotely configure some printers and routers, which shouldn't be accessible (via login) from the outside anyway.

        The telnet client can also be used as a diagnostic tool, though netcat is better.

    • Re:ssh and telnet (Score:2, Informative)

      by Anonymous Coward
      Absolutely agreed.

      From what I've seen, the main reason people use telnet etc. is simply because it's enabled by default. They are too clueless to install SSH (and often too clueless to enable telnet if it were disabled), sometimes they haven't even heard of it.

      Many open source OS distributions (at least the *BSDs, probably most if not all Linux distributions) already include SSH and disable almost everything in inetd.conf by default.

      MacOS X also includes (but doesn't enable) SSH and disables everything
    • or, for the not so paranoid, you could use kerberos and ftp/filezilla. no moronic passwords in the clear at all.
    • Re:ssh and telnet (Score:3, Insightful)

      by ave19 ( 149657 )
      Would it be more accurate to say, you wish to see all cleartext services disabled by default? Since ftp, telnet, rlogin, etc. all have ciphered, non-cleartext authentication methods with mutual authentication?

      Where I work, we allow kerberized telnet, but not cleartext telnet. Same for ftp.

      -ave
    • Re:ssh and telnet (Score:4, Insightful)

      by iabervon ( 1971 ) on Monday June 30, 2003 @11:23AM (#6331548) Homepage Journal
      You really mean cleartext authentication, not cleartext protocols. Cleartext ftp is fine for anonymous downloads; cleartext HTTP is fine so long as you don't use passwords or authentication cookies (note that you and I are both posting in violation of what we're saying. But anyway...); cleartext telnet is fine for rainmaker.wunderground.com; and so forth.

      I find it odd that systems package together telnet (a nice wrapper for TCP, with a few extra features; very useful for a number of things, including getting the weather) with telnetd (a program for providing shell access to attackers, simply based on the few extra features over TCP. Similarly ssh and sshd. Programs that make connections are very different from programs that provide shell access.

      Personally, I think Linux distros should have remote login disabled by default. Anyone who actually wants it will know how to enable it, and will hopefully pick a sane protocol to use to do so.
    • I think telnet and ftp should be disabled across the world with very limited exceptions.

      I use the telnet client to test connectability to various ports...
      telnet somehost 25
      is a nice way to make sure that the SMTP server is running.

      Other than that, I agree that telnet servers should be disabled by default (RH8 and up no longer install it by default). If I have to login to a machine with telnet, the first things I do on it are install SSH and ask permission to change passwords.

      FTP servers are OK if t

    • This goes back to a conversation I was having the other day over the design philosophy of secure TCP. I would prefer the design of IPsec, where the security is layered into the network itself. The problem arises from the fact that there is no way programmatically to ask for a secure connection. All of the work needs to be done by an admin., and all of the details need to be worked out ahead of time (what keys, distribution, etc.) IPsec also doesn't have user key support last time I checked.

      The i

  • by tigersha ( 151319 ) on Monday June 30, 2003 @09:03AM (#6330341) Homepage
    IS is possible to log in to an Active Directory Domain and use those credntials for Kerberos. I am not an expert on this but AFAIK Microsft uses a somewhat bastartized version of Kerberos for Active Directory. I am interested in tusing thos tickets to authenticate with Normal SSH (the Windows version from SSH Labs) from my Windows box. Is this possible?

    • by Anonymous Coward
      I believe recent Kerberos for Windows distributions from MIT include ms2mit.exe, which you can use to do that conversion.

      MIT has single-signon working (the conversion happens automatically) but I don't know if they released the code.
    • Microsoft Active Directory is compatibe with MIT Kerberos version 5.

    • by Anonymous Coward
      Yes, Non-MS kerberos systems will ignore the MS data in the Kerberos ticket and accept it as authentication if you are part of a Kerberos realm that uses a MS KDC. For example, OS X can use an Active Directory server as a KDC and pass the TGT to a cyrus IMAP server. The IMAP server will ignore the MS junk in the ticket and as long as you check out, you can get your mail. The problem is going the other way. You cannot, get a TGT from a MIT KDC and pass it to a MS Kerberized service.
  • by Nissyen ( 101509 ) on Monday June 30, 2003 @09:05AM (#6330350) Homepage
    ...on behalf of the MIT Kerberos team and several other parties interested in the availability of Kerberos authentication...

    There are other parties interested in Kerberos?

  • kerberos+ssh+putty (Score:5, Informative)

    by ave19 ( 149657 ) on Monday June 30, 2003 @09:10AM (#6330379)
    i have a mod for putty that can do gssapi+kerberos auth for users. windows client to the linux/unix openssh servers.

    we're beta testing (or will start soon) but it works!

    respond if you're interested...
  • by dpilot ( 134227 ) on Monday June 30, 2003 @09:25AM (#6330516) Homepage Journal
    Does this mean we might get afs token forwarding for SSHV2? (I actually *read* the article, and couldn't glean that out of it.) Currently it appears to be possible to get afs token forwarding, but only for SSHV1. Proper token forwarding would enable ssh deployment in an afs shop.

    Or with Kerberos authentication does token forwarding no longer matter, because it's not needed?
    • I'm not sure about other methods, but if you use Wilkinson's GSSAPI patch [sxw.org.uk] with credentials delegation enabled, krb5 TGTs will be forwarded when the user authenticates with krb5/gssapi.

      The problem is that the current version of OpenSSH does an aklog with krb4, which may or may not work without additional patching (i.e. changing the aklog code to use krb5) depending on how your sshd handles the krb libs.

  • Maintaining installations of K5-ticket-passing OpenSSH at a university level (i.e. multiple client / server platforms) is just that much harder when having to match the exact openssh codebase to the exact K5 patchsuite. Being able to ultimately say to all university subunits that want to play ball (and esp. students / faculty and their home boxen) "just cook ossh v3.2x with '--withk5'" would be ever so nice.
    • seems like the story submitter jumped the gun a bit. from http://www.openbsd.org/plus.html [openbsd.org]

      Add kerberos-over-ssh2 support to ssh(1).

      though, reading some openbsd mailing lists, i get the following:

      the openssh maintainers would like to have full kerberos support in openssh. however, the mit kerberos code is full of bugs and poorly maintained. the openbsd and openssh developers are sick of dealing with it, and are trying to minimize use of kerberos in the system.
      kerberos 4 has been pulled out of openss
  • Advantage? (Score:3, Interesting)

    by quantum bit ( 225091 ) on Monday June 30, 2003 @09:33AM (#6330592) Journal
    So exactly what advantage does this have over

    rlogin -x $HOSTNAME

    ? I'm talking about the Kerberized rlogin, of course (possibly known as krlogin to some of you linux users). The -x means to force encryption of the entire session.
  • Isn't this old? (Score:3, Informative)

    by Tony Hoyle ( 11698 ) <tmh@nodomain.org> on Monday June 30, 2003 @09:49AM (#6330740) Homepage
    The ssh-krb5 package has been in debian for, well, years... it works OK .. ironically I'm ditching kerberos soon because it's a lot of hassle, since the token keeps expiring at precisely the wrong moment just as I want to do something, plus it's difficult to switch users since you can only have one ticket at a time - PKI with forwarding is a lot easier.

  • by voicebox ( 516987 ) on Monday June 30, 2003 @09:49AM (#6330745)
    I am unable to get to the article (slashdotted) but there is an already existing GSSAPI patch for OpenSSH here: patch [sxw.org.uk].
  • by Anonymous Coward
    Personally I would LOVE to see OpenSSH with Kerberos support, but to be honest I'm sure a lot you guys have Windows desktops (or at least a lot of your users do) like me. What I would like to see is a Windows SSH client that supports the Kerberos TGT that Windows gets for you when you sign into an AD domain and actually works. The one from Reflection doesn't seem to work with OpenSSH+kerberos patch.
    • Ah, well, that assumes that Active Directory Kerberos is interoperable with the kerberos specifications (which it isn't). Not to mention the fact that Windows likes to not use gss-api and prefers to instead use gss-spnego (which allows them to negotiate down to ntlmssp the minute the network even hiccups slightly).

      See, the thing most people don't realize about AD, is that while it sort of supports Kerberos, the minute something goes even slightly wrong (some UDP packets get lost, a time skew's detected, m
  • by Tuck ( 41529 ) on Monday June 30, 2003 @10:08AM (#6330895) Homepage
    .. is two doors down on the left [theaimsgroup.com].
    • by Anonymous Coward

      And has there been any attempt by anyone to either

      1. Audit the GSSAPI patch and GSSAPI libraries?
      2. Split the one large patch into managable, incremental changes?

      If not, then Theo's objections still apply, and this whole thing is just more pissing and moaning that "we have a patch and those bastard developers are ignoring us."

      • There have been audits of the code, but I am not sure any of the auditors have been blessed by the OpenSSH developers so it doesnt mean much.

        I can understand their reluctance, but meeting people half way is needed.
  • by uslinux.net ( 152591 ) on Monday June 30, 2003 @10:09AM (#6330906) Homepage
    Kerberos authentication has been in openssh for a while, IIRC. What openssh lacks is kerberos ticket passing. Authentication works by validating your kerberos ticket against a KDC, or validating your password against the KDC. #2 has been there. I believe #1 has as well. Ticket passing allows your ticket to be forwarded to the next server, so you can *again* login in to another system. If you don't pass tickets, you need to kinit on each system before you can ssh.

    And BTW, kerberos 5 sysadmins can disable non-encrypted services, so rsh/rlogin/telnet/ftp/etc can mandate encryption or fail the connections.
    • by Anonymous Coward
      The article is not about the lack of Kerberos support in OpenSSH, but rather the lack of reasonable Kerberos support. OpenSSH will forward tickets and all that, but the problem is that it uses Kerberos improperly and doesn't derive all of the benefits that one should (such as protection from MITM attacks, etc.)
    • There has been ticket passing for SSH version 1 only. The problem is with SSH version 2. There are 2 ways of doing KRB (Heimdal/MIT/etc) with sshv2 currently.

      The first way is using a rather 'quick but broken' method that ssh.com used. This method cleans up the major problem in sshv1 krb passing (which was sending a TGT before you were verified), but does not do any sort of verification of the server to the client or much vice versa. This was implemented into the CVS of SSH.com last month or so.

      The second
  • next step (Score:3, Informative)

    by scrytch ( 9198 ) <chuck@myrealbox.com> on Monday June 30, 2003 @10:45AM (#6331236)
    Now all they have to do is make Kerberos as easy to install as openssh. Last time I had to deal with kerberos, it was like removing my own spleen. And it never even worked well when I used it -- like most other MIT standards, it was a pig and had an archaeic interface. And the expiration mechanism still sucks.
  • by sdjunky ( 586961 ) on Monday June 30, 2003 @10:49AM (#6331272)
    "draft-ietf-secsh-gsskeyex"

    Yeah! Well, your mother!
  • ..implementing draft-ietf-secsh-gsskeyex in addition to ..

    Ahh yes. draft-ietf-secsh-gsskeyex.
    Encryption so secure you need a key just to decipher the name!

    :)
  • Man-in-the-middle (Score:3, Insightful)

    by smallpaul ( 65919 ) <paul@presco d . n et> on Monday June 30, 2003 @11:24AM (#6331555)
    I often hear about man-in-the-middle attacks in theory but I've heard of one in practice. Can someone point me to some documentation about an incident where data was compromised by a MITM?
  • ... he says that they would like to reduce user confusion..

    and yet he mentions draft-ietf-secsh-gsskeyex...

  • by morrison ( 40043 )
    This is great news for government sites/labs where Kerberos with pre-hardware authentication (SecureID) is standard or even mandated. As it is, many sites have to remove the existing ssh installation, only to install a custom Kerberized version of ssh.

    (e.g. http://kirby.hpcmp.hpc.mil/)

    Having Kerberos in the default install should ease one of the many headache's government sysadmins have to endure.

  • GSSAPI patches for openssh are here [sxw.org.uk]. The openssh maintainers aren't real impressed with the GSSAPI spec, and aren't terribly enthusiastic about supporting it, so there's some resistance to merging it.
  • draft-ietf-secsh-gsskeyex
    Am I the only reader who did a double-take of that phrase?
  • by Anonymous Coward
    Support the OpenSSH developers by getting a 3.3 CD $40 [openbsd.org] or for Europe EUR 45 [openbsd.org]

    There is a new Tshirt: 3 .3 Tshirt $20 [openbsd.org] or for Europe EUR 20 [openbsd.org]

    The new 3.3 poster [openbsd.org] is very nice too, get it for $10 US [openbsd.org] or EUR 14 in Europe [openbsd.org]

    Support OpenSSH, have a look at this new Tshirt OpenSSH 2 $20 [openbsd.org] or for Europe EUR 20 [openbsd.org]

    thank you.

  • Why isn't kerberos used more(on Linux, not counting MS AD here) ? It's great for offices and similar, especially the single sign-on "feature".
    Would be very nice if the desktops(KDE/Gnome) had wider support for kerberos.. e.g. (GUI/Nautilus/Konqueror) ftp client with kerberos support and similar to.. After all, why provide username/password every damn time I have to access a resource within the "domain" I'm already logged on to ?
    People.. use kerberos... demand kerberos support..

  • about a brand new 0day in the OpenSSH krb5 code.

    (SSH team did a minor cleanup on the SSH code and introduced some vulnerbility somehow).

    now, go figure!

Keep up the good work! But please don't ask me to help.

Working...