IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: gss userauth
On Tue, Aug 26, 2003 at 03:22:00PM -0400, Sam Hartman wrote:
> My reason is simple. I don't really see this as a new vulnerability
> so much as an apparent decision on the part of the WG to change the
> threat model.
Not only that, there is an alternative that does the right thing:
gsskeyex.
I think a warning about gss userauth not being bound to the session ID
and the resulting weakness, along with text explaining gss userauth's
utility with gss mechs that don't provide integrity protection ought to
suffice. We have other userauths that also don't bind authentication to
the session ID (password, keyboard-interactive), so gss userauth's
failure to bind authentication to the session ID is acceptable,
particularly given that gsskeyex does (plus it has other benefits).
Cheers,
Nico
--
Home |
Main Index |
Thread Index |
Old Index