Re: gss userauth

To: Sam Hartman <hartmans%mit.edu@localhost>
Subject: Re: gss userauth
From: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Date: Tue, 26 Aug 2003 21:34:07 -0700

On Tue, Aug 26, 2003 at 03:22:00PM -0400, Sam Hartman wrote:
> My reason is simple.  I don't really see this as a new vulnerability
> so much as an apparent decision on the part of the WG to change the
> threat model.

Not only that, there is an alternative that does the right thing:
gsskeyex.

I think a warning about gss userauth not being bound to the session ID
and the resulting weakness, along with text explaining gss userauth's
utility with gss mechs that don't provide integrity protection ought to
suffice.  We have other userauths that also don't bind authentication to
the session ID (password, keyboard-interactive), so gss userauth's
failure to bind authentication to the session ID is acceptable,
particularly given that gsskeyex does (plus it has other benefits).

Cheers,

Nico
--

Follow-Ups:
- Re: gss userauth
  - From: Markus Friedl

References:
- draft minutes from IETF57 secure shell meeting.
  - From: Bill Sommerfeld
- gss userauth
  - From: Love
- Re: gss userauth
  - From: Love Hörnquist Åstrand
- Re: gss userauth
  - From: Sam Hartman

Prev by Date: Re: gss userauth
Next by Date: Re: gss userauth
Previous by Thread: Re: gss userauth
Next by Thread: Re: gss userauth
Indexes:

Home | Main Index | Thread Index | Old Index