Re: gss userauth

To: jsalowey%cisco.com@localhost
Subject: Re: gss userauth
From: Steven Michaud <smichaud%pobox.com@localhost>
Date: Mon, 25 Aug 2003 16:55:07 -0500 (CDT)

> [Joe] If the GSSAPI exchange is not bound to the session then you do
> not have assurance that the client actually was performing the
> GSSAPI exchange to authenticate itself to the SSH server.  The
> client may actually be trying to authenticate to some other service
> in some other context and his authentication may be proxied by a
> third party.  Part of the problem is that the target name suggested
> is "host@" which can be used by multiple services on a host.

Are you talking about some kind of man-in-the-middle attack?  If so,
wouldn't the MITM have to break in after the key exchange had taken
place, the session id had been negotiated, and encryption was already
in effect?  (Which is when gss userauth happens.)  And wouldn't this
be impossible?

Or are you talking about the server somehow misunderstanding what the
client was after?  In this case wouldn't it be up to the client to
leave no room for doubt?

Follow-Ups:
- RE: gss userauth
  - From: Joseph Salowey

Prev by Date: Re: gss userauth
Next by Date: RE: gss userauth
Previous by Thread: RE: gss userauth
Next by Thread: RE: gss userauth
Indexes:

Home | Main Index | Thread Index | Old Index