Re: gss userauth

[Jeffrey Hutzelman <jhutz%cmu.edu@localhost>]

On Tue, 2 Sep 2003, Joel N. Weber II wrote:

> I'm concerned about the complexity that would be required to add the
> partial success flag as you seem to be planning to specify it; the

I don't specify how the partial success flag works; the ssh-userauth
document does.  If you think it's too hard to implement, you should
comment on that issue separately, since that document has already passed
WG last call and gone to the IESG, and time to make changes is running
out.

> Your proposal also has a bunch of new rules about when you can try
> which authentication method.

No, I add one new rule: you can only try gssapi-mic when you have an
appropriate context to use.  It's not a very difficult rule to follow; if
you don't have a context, you can't possibly construct the request
message.

> And I really don't see what you buy by requiring that complexity that
> you're advocating.

I don't see that I'm advocating significant complexity.  For an
implementation of the ssh protocol that already supports gssapi userauth,
adding support for gssapi-mic should be pretty easy.

> I'd really like to see something that can easily be implemented
> without modifying the API that authentication methods use.

I know of no standard API.  I'm not working on an add-on to OpenSSH; I'm
working on an extension to the SSHv2 protocol.  It should not be difficult
to add the method I am proposing to an SSHv2 implementation which
correctly implements the current SSH protocol drafts and the existing
GSSAPI mechanisms.  I know of at least one implementor other than OpenSSH
who is already doing so, and at least three other people have outlined
ways to do so in OpenSSH, including returning partial success from an
authentication method and updating the list of mechanisms listed by the
server.

> We have two openssh maintainers opposed to the partial authentication




> approach.  And I have a preference against the partial authentication
> method; I've been working on an implementation of the gssapi-mic
> authentication method, and I've also written a patch for gnupg support
> of significant size.
>
> How much code for an ssh implementation have the partial
> authentication advocates written?

I'll pretend you didn't just suggest that somehow your having written some
patches for openssh makes your opinion more valuable or worthwhile than
mine.  This is an IETF working group, Joel -- everyone's opinion counts.



Just to be clear...  I don't really care what final form this takes.
What I do care about is

- Maintaining backward compatibility for the existing deployed base,
  so that people can transition without a flag day.
- Maintaining support for GSSAPI mechanisms which are unable to support
  GSS_GetMIC()
- Not making gratuitous changes to work that's already been done.
- Getting this done in a timely manner.

I know there are implementors who are planning on doing releases in the
near future which include GSSAPI userauth (you know who you are).  I'd
like to see those releases include support for the more secure variant, in
whatever form we end up agreeing on.  Some have already begun to implement
what we discussed last week, which I described formally in my message
yesterday morning.

I'm willing to go with another approach, if you can convince me that it
maintains the goals of backward compatibility and support for
non-integrity-capable mechanisms, that there's a real reason why it's
better (not just that using partial authentication offends your sense of
aesthetics), and that it won't in fact be harder for implementors to get
right.

-- Jeff