Comment on draft-ietf-secsh-gsskeyex-06

To: ietf-ssh%netbsd.org@localhost
Subject: Comment on draft-ietf-secsh-gsskeyex-06
From: Simon Josefsson <simon+ietf-ssh%josefsson.org@localhost>
Date: Sun, 06 Jul 2003 13:09:22 +0200

The document says:

   The client SHOULD NOT send more then one gssapi mechanism OID unless
   there are no non-GSSAPI authentication methods between the GSSAPI
   mechanisms in the order of preference, otherwise, authentication
   methods may be executed out of order.

Besides having four (!) negations, I think some hints on how different
GSSAPI mechanisms should be handled instead would be useful.  E.g.:

   The client SHOULD send more than one mechanism OIDs only when all
   of the mechanisms are of the same priority, compared to non-GSSAPI
   authentication methods.  Otherwise, authentication methods may be
   executed out of order.  Thus, the client could first send a
   SSH_MSG_USERAUTH_REQUEST for one GSSAPI mechanism, then try public
   key authentication, and then try another GSSAPI mechanism.

FWIW, another implementation of the GSSAPI user authentication part of
the specification is available.  Patches (experimental!) for LSH using
GSSLib, Heimdal or MIT Kerberos 5, are available from
<http://josefsson.org/gss/gss-lsh.html>.

Thanks,
Simon

Follow-Ups:
- Re: Comment on draft-ietf-secsh-gsskeyex-06
  - From: Jeffrey Hutzelman

Prev by Date: Send me agenda items for Vienna.
Next by Date: Why SFTP performance sucks, and how to fix it
Previous by Thread: Send me agenda items for Vienna.
Next by Thread: Re: Comment on draft-ietf-secsh-gsskeyex-06
Indexes:

Home | Main Index | Thread Index | Old Index