Re: SSHv2 GSS spec issue wrt gss error tokens

To: Jeffrey Hutzelman <jhutz%cmu.edu@localhost>
Subject: Re: SSHv2 GSS spec issue wrt gss error tokens
From: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Date: Mon, 18 Nov 2002 15:59:21 -0600

Ok, one more go around:

On Mon, Nov 18, 2002 at 04:01:49PM -0500, Jeffrey Hutzelman wrote:
> > I don't think not sending a GSS error token should be optional, under
> > any circumstance, unless the alternative is to close the connection
> > without further ado.
> 
> Effectively, that is the alternative.  If there is an error, the server
> sends up to three messages:
> 
> - optional SSH_MSG_KEXGSS_CONTINUE with the error token

Why is this optional?  (To provide for error obfuscation?)  It should be
recommended, not merely optional.

BTW, GSS-API ought to provide a feature for error token obfuscation.
Better to let the mechanism determine what error information to send
than to let the GSS application get away with not sending error tokens.

In the meantime, I'd agree to making SSH_MSG_KEXGSS_CONTINUE w/ error
tokens optional, but recommended - SHOULD, in fact, and the error code
shrouding rationale should be described in the security considerations
section, say.

That brings up another question: do the various SSHv2 drafts
consistently provide for error code obfuscation where errors are sent on
the wire?  Should GSS-keyex be consistent with the other SSHv2 drafts on
this?

> - optional SSH_MSG_KEXGSS_ERROR with error status and message
> - recommended SSH_MSG_DISCONNECT with SSH_DISCONNECT_KEY_EXCHANGE_FAILED.
> - close the connection
> 
> 
> For user auth the exchange is slightly different:
> - optional SSH_MSG_USERAUTH_GSSAPI_TOKEN with the error token
> - optional SSH_MSG_USERAUTH_GSSAPI_ERROR with error status and message
> - required SSH_MSG_USERAUTH_FAILURE
> 
> Once the client receives SSH_MSG_USERAUTH_FAILURE, it aborts the GSSAPI
> exchange and may either close the connection or try again.
> 
> > Why couldn't this be accomplished with debug messages on the server
> > side? Or with the server sending debug messages to the client? (there's
> > no debug messages during key exchange, are there?)
> 
> I don't see anything specific that prohibits debug messages during key
> exchange.  However, the use of a separate "error" message makes it clear
> that we are describing the reason for an error, which could have an effect
> on whether the client displays the result to the user (for example, the
> client may choose to try multiple user auth methods, and only display the
> error information if all fail).

Ok.

> > Regardless, the draft should be clear that the minor status code is
> > implementation specific and that the client should not attempt to
> > interpret it (the message in question has a field for a human readable
> > error message string anyways).
> 
> Yes, I agree we should add some clarifying text.

Thanks.


> -- Jeff
> 

Thanks,

Nico

Follow-Ups:
- Re: SSHv2 GSS spec issue wrt gss error tokens
  - From: Jeffrey Hutzelman

References:
- Re: SSHv2 GSS spec issue wrt gss error tokens
  - From: Nicolas Williams
- Re: SSHv2 GSS spec issue wrt gss error tokens
  - From: Jeffrey Hutzelman

Prev by Date: Re: SSHv2 GSS spec issue wrt gss error tokens
Next by Date: Re: SSHv2 GSS spec issue wrt gss error tokens
Previous by Thread: Re: SSHv2 GSS spec issue wrt gss error tokens
Next by Thread: Re: SSHv2 GSS spec issue wrt gss error tokens
Indexes:

Home | Main Index | Thread Index | Old Index