Re: GSS-API SRP mech (was Re: retrying keyex ...)

[Simon Tatham <anakin%pobox.com@localhost>]

Sam Hartman  <hartmans%mit.edu@localhost> wrote:
[existing implementations of SRP authentication in SSH]
> Please don't; use Keith's GSSAPI mechanism.  I believe that getting
> his draft in shape should not take too much time at all.

Stop me if I'm being completely ignorant, but I thought GSSAPI
required the use of a null host key?

One of the great things about SRP as implemented in the hacked
OpenSSH I saw is that it uses the shared secret output from the SRP
exchange to validate the ordinary SSH host key - so that you can
connect to a machine whose host key you don't already know, enter
your SRP passphrase in confidence that it can't be stolen even if
the server has been spoofed, and if the SRP exchange completes
successfully then you can also be sure that _that host key_ belongs
to a machine which already knew what your passphrase should have
been. Then, later, you can use other forms of authentication to talk
to the same server and now be confident of its host key.

I think that any SRP implementation which worked by avoiding the
host key completely would be a step backwards from this. The whole
host key problem is a major hassle to many SSH users, and making it
simpler would be a serious gain.

Cheers,
Simon
-- 
Simon Tatham         "You may call that a cheap shot.
<anakin%pobox.com@localhost>    I prefer to think of it as good value."