Bug 1312 - Add short command-line option -K for activating GSSAPIDelegateCredentials
Summary: Add short command-line option -K for activating GSSAPIDelegateCredentials
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: Kerberos support (show other bugs)
Version: 4.4p1
Hardware: All Linux
: P2 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_4_7
  Show dependency treegraph
 
Reported: 2007-05-06 22:36 AEST by Markus Kuhn
Modified: 2008-04-04 09:59 AEDT (History)
2 users (show)

See Also:

Attachments
Patch adding option -K to enable GSSAPI auth. and cred. forwarding (1.60 KB, patch)
2007-05-12 23:00 AEST, Markus Kuhn 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Kuhn 2007-05-06 22:36:36 AEST 
I would like to propose the addition of a new command-line option to the OpenSSH client program "ssh":

  -K  Enables both GSSAPI authentication and forwarding of
      GSSAPI credentials to server (equivalent to options
      GSSAPIAuthentication=yes and GSSAPIDelegateCredentials=yes)

Reason:

When logging in to servers that use Kerberized NFS, it is not possible to use publickey authentication, because ~/.ssh/authorized_keys is not available at the time of login. In such environments, which become increasingly common due to security worries about the risks of unauthenticated NFS, GSSAPI/Kerberos has to be used both to authenticate the login and to enable the server to access my home directory. In such an environment, the two command-line options

  -o GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=yes

are practically as important as, for example, -X for forwarding X11. Unfortunately, there exists currently no convenient short command-line option to activate this function. What I propose is basically the Kerberos equivalent of the two X11-forwarding options -x (disable) and -X (enable). The option -k (disable Kerberos ticket forwarding) does already exist, so adding -K (enable Kerberos forwarding) is the obvious and intuitive choice here.

Like with X11 forwarding (-X), there may be good security reasons for not enabling Kerberos ticket forwarding by default, therefore it would be very useful to have a -K to enable Kerberos ticket forwarding on demand only where it is appropriate.

Since Kerberos-based authentication is much faster than public-key based authentication, wherever someone is interested in forwarding a Kerberos ticket to a server, they will almost certainly also prefer to use that ticket for login authentication as well. This is why I propose that -K should enable *both* GSSAPIAuthentication=yes and GSSAPIDelegateCredentials=yes. I can't see a common scenario where you would want to have the latter without the former.
Comment 1 Simon Wilkinson 2007-05-11 17:16:04 AEST 
I like the idea of having a -k flag. Historically this used to exist for the protocol version 1, and it would be good to add it in the version 2.

However, I'm not sure what the politics of doing this would be - the option namespace is obviously limited. Do you have a patch that could be considered?

Finally, I don't think there's any situation in which GSSAPIDelegateCredentials could be legitimately used when GSSAPIAuthentication isn't.

Simon.
Comment 2 Markus Kuhn 2007-05-12 23:00:49 AEST 
Created attachment 1279 [details]
Patch adding option -K to enable GSSAPI auth. and cred. forwarding

Here is the very simple and straight-forward patch (against openssh-4.6p1) that adds the suggested option -K.
Comment 3 Damien Miller 2007-06-12 21:14:48 AEST 
Patch applied, this will be in OpenSSH 4.7 - thanks!
Comment 4 Damien Miller 2008-04-04 09:59:38 AEDT 
Close resolved bugs after release.