Re: SSHv2 GSS spec issue wrt gss error tokens

To: Jeffrey Hutzelman <jhutz%cmu.edu@localhost>
Subject: Re: SSHv2 GSS spec issue wrt gss error tokens
From: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Date: Mon, 18 Nov 2002 12:45:20 -0600

On Mon, Nov 18, 2002 at 11:16:13AM -0600, Nicolas Williams wrote:
> 
> [...]
> 
> (One need not even have to misconfigure Kerberos - if the server is
> multi-homed, with multiple canonical hostnames [one for each set of
> interfaces] then gsskeyex will work only when user against the

That should read "One need not misconfigure Kerberos ..." and
"... only when used against ..."

> interfaces whose canonical hostname matches the host's "nodename".  This
> is because the existing open source implementations of GSS/Kerberos do
> not support the better GSS_C_NO_CREDENTIAL semantics in
> GSS_Accept_sec_context().  This scenario happens every day in at least
> one environment that I know of, so it is not far-fetched; having useful
> error messages for this and other scenarios would be great and sending
> the acceptor's error token is the correct way to achieve that.)
> 
> [...]
> 
>                         Alternatively the draft could be modified in a
> non-backwards compatible manner, but I believe it's too for that.

That should read "... but I believe it's too late for that."

> 
> [...]
> 


Nico
--

References:
- Re: SSHv2 GSS spec issue wrt gss error tokens
  - From: Nicolas Williams [RU-CENTRAL]
- Re: SSHv2 GSS spec issue wrt gss error tokens
  - From: Jeffrey Hutzelman
- Re: SSHv2 GSS spec issue wrt gss error tokens
  - From: Nicolas Williams

Prev by Date: Re: SSHv2 GSS spec issue wrt gss error tokens
Next by Date: Re: SSHv2 GSS spec issue wrt gss error tokens
Previous by Thread: Re: SSHv2 GSS spec issue wrt gss error tokens
Next by Thread: I-D ACTION:draft-ietf-secsh-gsskeyex-05.txt
Indexes:

Home | Main Index | Thread Index | Old Index