IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: SSHv2 GSS spec issue wrt gss error tokens



On Tue, 5 Nov 2002, Nicolas Williams wrote:

> I propose that the draft be modified to say that when GSS_Accept_sec_context()
> returns an error but produces an output token, then the server MUST send
> back a SSH_MSG_KEXGSS_CONTINUE message with the error token to the
> client

So far, so good.  I'll have to think about the semantics of that; we
would want to make sure that once the server has gotten an error, the key
exchange cannot succeed.

 and it MUST continue to the next key exchange algorithm.

There is no "next key exchange algorithm".  If key exchange fails, the
connection is aborted.  There is no second chance.

> Alternatively we could add a new message for the server to indicate that
> it had an error and in which to send the error token OR we could modify
> the SSH_MSG_KEXGSS_ERROR message to include an optional error token.

I'm not sure which of the three approaches is best.  But I do agree the
problem should be solved...

-- Jeff




Home | Main Index | Thread Index | Old Index