Re: gss userauth

[Nicolas Williams <Nicolas.Williams%sun.com@localhost>]

On Wed, Aug 27, 2003 at 12:42:51PM -0400, Joel N. Weber II wrote:
> > Why are you uncomfortable with GSS channel bindings?  We know that they
> > work, from experience, where they are supported.  The lack of support
> > for channel bindings across the board is definitely one good reason to
> > be uncomfortable with using that facility to tackle this problem.
> 
> So, is there any deployed software anywhere that uses GSS channel
> bindings with krb5 gssapi?  Or with gsi gssapi?  If so, is there more
> than one independent implementation with demonstrated
> interoperability?

MIT krb5's ftp/ftpd used to require the use of channel bindings using
network addresses as the bindings.  Of course, that created problems
with NAT, but that's another story and wouldn't apply to this case.

Did Heimdal ever support channel bindings?  I don't know.

There are also MIT-based implementations that interop with MIT.

SSPI doesn't.

> I strongly believe we should pick an approach that involves the use of
> a MIC.

Actually, I agree, not because of issues with channel bindings but
because Jeff Hutzelman's proposal of using partial userauth with an
additional userauth that has the client send the MIC is better, from a
backwards compatibility point of view.

> And I also don't see that channel bindings really buy us anything.
> There are ways to do a MIC that will allow an old client to
> interoperate with a new server, and vice versa.  Do channel bindings
> ever allow the problems to be solved without upgrading both the client
> and server?

I had already agreed that channel bindings wouldn't be the solution now
- I was asking Sam why he was uncomfortable with channel bindings as I
had the strong impression that he meant that generally, not specifically
in this context (the quote was "I am sufficiently uncomfortable with GSS
channel bindings to refrain from recommending their use until CCM
becomes much more mature").

Cheers,

Nico
--