On Tue, Jun 18, 2013 at 10:27 PM, Theo de Raadt <dera...@cvs.openbsd.org> wrote: > Modified files: > usr.bin/ssh/ssh: Makefile > usr.bin/ssh/sshd: Makefile > > Log message: > stop doing kerberos in ssh and sshd > the code bloat makes that no longer trustworthy functionality > ok guenther
There was a time when krb5 was a protocol you could bite off and chew, though it was kinda gristly and required lots of chewing. Now? pre-auth, x509, GSS layering (which can themselves including stacking of levels of protocol negotiation) have obliterated whatever core existed that you could understand enough to trust. Maybe there will be a new minimal implementation that does just authentication and channel-bindings, with zero options; small enough that people can read and believe it. Until then... Philip Guenther
