nisse@lysator.liu.se (Niels Möller) writes:
Simon Josefsson jas@extundo.com writes:
Anyone interested in working on adding GSS-API authentication a'la http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-06.txt to lsh? I'm currently working on my own GSS library (see http://josefsson.org/gss/) and while far from finished, it can now talk to other clients/servers via GSASL or Mailutils.
I'm afraid I haven't kept up with the GSS-API discussions (and I'm generally a little sceptical about it, but I think we've discussed that earlier).
I'm also skeptic (I have a "Criticism of GSS" in the manual that discusses some problems), but I haven't seen any standardized approach to support Kerberos 5 in SSH except GSS, so...
Personally I would have used SASL. Fortunately, there is no conflict, and we could add SASL support too.
I'd imagine adding the GSS support to lsh would stress test more stuff in the GSS library, so it looks like a good next step for me.
Sounds interesting.
Would you start with the server or the client side? On the server, you need to inherit the userauth class in server_userauth.h, with some guidance from the class userauth_publickey in server_publickey.c. I think that should be reasonably straight forward.
Good. Clients are often easier to debug though, but I'll follow this pointer first.
You also have the option of designing a way to put the gssapi processing in a separate program (like the kerberos and pam helper programs), but you probably need a more sophisticated protocol than those. I think that's the way to go for keyboard-interactive (http://bugzilla.lysator.liu.se/show_bug.cgi?id=1028), but it may not be for GSS-API.
If/when there is a framework for that, and the protocol is flexible enough to support GSS, I guess it sounds better. I won't look into this now though, since my focus is mostly on the GSS side.
I personally don't plan to add GSS-API support soon, but if anybody else likes to work on it, I'd be happy to guide you around.
Thanks, Simon