RE: gss userauth

To: "'Tim Alsop'" <Tim.Alsop%CyberSafe.Ltd.UK@localhost>, "'Joseph Galbraith'" <galb-list%vandyke.com@localhost>, "'Jeffrey Hutzelman'" <jhutz%cmu.edu@localhost>, "'Love'" <lha%stacken.kth.se@localhost>
Subject: RE: gss userauth
From: "Joseph Salowey" <jsalowey%cisco.com@localhost>
Date: Mon, 25 Aug 2003 15:45:47 -0700

Title: Message

It would help, especially in the case of kerberos. However it does not completly solve the problem and I'm not sure it would help with other GSSAPI mechanisms (with some mechanisms this mey not be a problem anyway). I think sending the Session ID in the MIC is a better solution.

Joe

-----Original Message-----
From: Tim Alsop [mailto:Tim.Alsop%CyberSafe.Ltd.UK@localhost]
Sent: Monday, August 25, 2003 12:12 PM
To: Joseph Salowey; 'Joseph Galbraith'; 'Jeffrey Hutzelman'; 'Love'
Cc: ietf-ssh%NetBSD.org@localhost
Subject: RE: gss userauth

[Joe] If the GSSAPI exchange is not bound to the session then you do not have assurance that the client actually was performing the GSSAPI exchange to authenticate itself to the SSH server. The client may actually be trying to authenticate to some other service in some other context and his authentication may be proxied by a third party. Part of the problem is that the target name suggested is "host@" which can be used by multiple services on a host.

Tim> Perhaps a target service name such as "ssh@" should be suggested instead ? Would this avoid the problem under discussion ?

Follow-Ups:
- RE: gss userauth
  - From: Jeffrey Hutzelman

References:
- RE: gss userauth
  - From: Tim Alsop

Prev by Date: RE: gss userauth
Next by Date: RE: gss userauth
Previous by Thread: RE: gss userauth
Next by Thread: RE: gss userauth
Indexes:

Home | Main Index | Thread Index | Old Index