Re: SSHv2 GSS spec issue wrt gss error tokens

To: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Subject: Re: SSHv2 GSS spec issue wrt gss error tokens
From: Jeffrey Hutzelman <jhutz%cmu.edu@localhost>
Date: Sun, 10 Nov 2002 08:41:12 -0500 (EST)

On Tue, 5 Nov 2002, Nicolas Williams wrote:

> I propose that the draft be modified to say that when GSS_Accept_sec_context()
> returns an error but produces an output token, then the server MUST send
> back a SSH_MSG_KEXGSS_CONTINUE message with the error token to the
> client

So far, so good.  I'll have to think about the semantics of that; we
would want to make sure that once the server has gotten an error, the key
exchange cannot succeed.

 and it MUST continue to the next key exchange algorithm.

There is no "next key exchange algorithm".  If key exchange fails, the
connection is aborted.  There is no second chance.

> Alternatively we could add a new message for the server to indicate that
> it had an error and in which to send the error token OR we could modify
> the SSH_MSG_KEXGSS_ERROR message to include an optional error token.

I'm not sure which of the three approaches is best.  But I do agree the
problem should be solved...

-- Jeff

Follow-Ups:
- Re: SSHv2 GSS spec issue wrt gss error tokens
  - From: Nicolas Williams [RU-CENTRAL]

References:
- SSHv2 GSS spec issue wrt gss error tokens
  - From: Nicolas Williams

Prev by Date: Re: send agenda items to me.
Next by Date: Re: SSHv2 GSS spec issue wrt gss error tokens
Previous by Thread: SSHv2 GSS spec issue wrt gss error tokens
Next by Thread: Re: SSHv2 GSS spec issue wrt gss error tokens
Indexes:

Home | Main Index | Thread Index | Old Index