Re: gss userauth

To: Markus Friedl <markus%openbsd.org@localhost>
Subject: Re: gss userauth
From: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Date: Wed, 27 Aug 2003 07:46:03 -0700

On Wed, Aug 27, 2003 at 11:27:55AM +0200, Markus Friedl wrote:
> On Tue, Aug 26, 2003 at 09:34:07PM -0700, Nicolas Williams wrote:
> > suffice.  We have other userauths that also don't bind authentication to
> > the session ID (password, keyboard-interactive), so gss userauth's
> 
> so both are weak forms of authentication.
> 
> > failure to bind authentication to the session ID is acceptable,
> 
> so gss userauth should be weak as well?

It has to be weak in that way for mechanisms that don't provide
integrity protection.  For mechanisms that support integrity protection
there is gss keyex, which does not have this weakness.

Cheers,

Nico
--

References:
- draft minutes from IETF57 secure shell meeting.
  - From: Bill Sommerfeld
- gss userauth
  - From: Love
- Re: gss userauth
  - From: Love Hörnquist Åstrand
- Re: gss userauth
  - From: Sam Hartman
- Re: gss userauth
  - From: Nicolas Williams
- Re: gss userauth
  - From: Markus Friedl

Prev by Date: Re: gss userauth
Next by Date: Re: gss userauth
Previous by Thread: Re: gss userauth
Next by Thread: Re: gss userauth
Indexes:

Home | Main Index | Thread Index | Old Index