Simon Josefsson jas@extundo.com writes:
Anyone interested in working on adding GSS-API authentication a'la http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-06.txt to lsh? I'm currently working on my own GSS library (see http://josefsson.org/gss/) and while far from finished, it can now talk to other clients/servers via GSASL or Mailutils.
I'm afraid I haven't kept up with the GSS-API discussions (and I'm generally a little sceptical about it, but I think we've discussed that earlier).
I'd imagine adding the GSS support to lsh would stress test more stuff in the GSS library, so it looks like a good next step for me.
Sounds interesting.
Would you start with the server or the client side? On the server, you need to inherit the userauth class in server_userauth.h, with some guidance from the class userauth_publickey in server_publickey.c. I think that should be reasonably straight forward.
You also have the option of designing a way to put the gssapi processing in a separate program (like the kerberos and pam helper programs), but you probably need a more sophisticated protocol than those. I think that's the way to go for keyboard-interactive (http://bugzilla.lysator.liu.se/show_bug.cgi?id=1028), but it may not be for GSS-API.
In the client, the code is a little hairier (due to the way userauth failures are handled), and it's all in client_userauth.c.
However, as I'm not familiar with lsh (the gc stuff make it look a bit complex)
The point of the stuff is to make things less complex, as you don't need any code for deciding when an object can be deallocated... As for the LSH style of object oriented C, I admit it can take a little time to get used to ;-), but it's fairly simple. The best starting point I can give is the file doc/HACKING in the LSH distribution.
Is there some major component missing from lsh that would be needed before the GSS auth/kex idea can be implemented?
I don't think there's anything missing in the general framework that you'd need for GSS support, but of course it's hard to say for sure before one starts to look into GSS-API in detail.
I personally don't plan to add GSS-API support soon, but if anybody else likes to work on it, I'd be happy to guide you around.
Best regards, /Niels