Re: gss userauth

To: ietf-ssh%NetBSD.org@localhost
Subject: Re: gss userauth
From: Love Hörnquist Åstrand <lha%stacken.kth.se@localhost>
Date: Tue, 26 Aug 2003 20:59:11 +0200

Love <lha%stacken.kth.se@localhost> writes:

> I've pointed out this to the authors privatly, so I'll repeat this
> publicly. I consider gss userauth to be broken since it doesn't verify the
> session id (using either mic or a channel bindings (like in CCM)).

So I would like to propose adding the following text (marked with !) in 3.5
in draft-ietf-secsh-gsskeyex. I knowlingly break backward compability
because I think the problem is important enough to (possibly) break
backward compability.

I've had a long chat with Jeff Hutzelman, and the solution that he and Sam
Hartmans are talking about might be better then mine. I'm proposing this
for a simple alternative solution to the problem.

Love

3.4  GSSAPI session

[...]

!  The client MUST use the integ_avail in calls to
!  GSS_Init_sec_context() to request credential and verify the flag
!  is set then the negotiation is done.

[...]

3.5 Client acknowledgement

   It is possible for the server to successfully complete the GSSAPI
   method and the client to fail.  If the server simply assumed success
   on the part of the client and completed the authentication service,
   it is possible that the client would fail to complete the
   authentication method, but not be able to retry other methods
   because the server had already moved on.

   Therefore, the client MUST send the following message when it has
   successfully called GSS_Init_sec_context() and gotten GSS_S_COMPLETE:

           byte      SSH_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE
!          string    MIC

   This message MUST be sent if and only if GSS_Init_sec_context()
   returned GSS_S_COMPLETE.  If a token is returned then the
   SSH_MSG_USERAUTH_GSSAPI_TOKEN message MUST be sent before this one.

!  The MIC is the result of the gss_get_mic over the following data, in the
!  following order:
!
!    string    session identifier
!    byte      SSH_MSG_USERAUTH_REQUEST
!    string    user name (in ISO-10646 UTF-8 encoding)
!    string    service name (in US-ASCII)
!    string    "gssapi" (US-ASCII method name)
!    uint32    n, the number of mechanism OIDs client supports
!    string[n] mechanism OIDs

Attachment: pgpnhtKicf3jL.pgp
Description: PGP signature

Follow-Ups:
- Re: gss userauth
  - From: Jeffrey Hutzelman
- Re: gss userauth
  - From: Sam Hartman

References:
- draft minutes from IETF57 secure shell meeting.
  - From: Bill Sommerfeld
- gss userauth
  - From: Love

Prev by Date: RE: gss userauth
Next by Date: Re: gss userauth
Previous by Thread: Re: gss userauth
Next by Thread: Re: gss userauth
Indexes:

Home | Main Index | Thread Index | Old Index