Re: gss userauth

To: Jeffrey Hutzelman <jhutz%cmu.edu@localhost>
Subject: Re: gss userauth
From: Simon Wilkinson <sxw%inf.ed.ac.uk@localhost>
Date: Tue, 02 Sep 2003 19:47:36 +0100 (BST)

Quoting Jeffrey Hutzelman <jhutz%cmu.edu@localhost>:

> Er, sorry.  Yes, of course I've seen this proposal.  I think Markus is
> proposing essentially the same thing, and I assume it's the leading 
> alternative to the gssapi-mic we've already discussed and specified (can
> 
> you please use some other name; having two proposals which use the same
> 
> method name is confusing).
> 
> I'm not convinced that what you describe is actually easier to implement 
> correctly.

Neither am I. There are several issues with having two different methods
using the same messages, both in OpenSSH and, I would imagine in other 
protocols.

If messages become overloaded, it becomes necessary for the application to 
keep track of the context in which those messages have occured (is this a 
gssapi, or a gssapi-mic message) for the entire exchange. It also doesn't
give us a solution that we can simply extend to key exchange.

There isn't any easy way for a client to decide whether a GSSAPI mechanism 
should be offered via the gssapi-mic or normal methods before it offers it. 
The client requires no particular knowledge of the underlying GSSAPI 
mechanism(s) its linked against, and I'd rather not add any. With mechanisms
that require user interaction (secure tokens, for example), having the same
mechansim tried twice (once with gssapi-mic, then again with gssapi when -mic
fails), would be annoying to say the least.

> It may be easier to do in the openssh server, because it 
> doesn't require filling in whatever support for partial authentication

The 'missing' support for partial authentication requires about 3 lines of
code to add to satisfy the needs of the proposed text. The gssapi-mic 
mechanism works equally well without partial authentication support. 
As Markus has said, the patch to add support for gssapi-mic is relatively
straightforward.

> My argument at this point boils down to not wanting to create
> unnecessary extra work for implementors.  

Its important to realise just _how_ many implementations, and in turn, 
users, we already have out there.  My GSSAPI patches have turned up in 
various forms in a large number of products. The strand supporting GSI are 
widely deployed across the Grid computing community as well.

Personally, I feel that the gssapi-mic proposal is the best one for solving
this problem in a general fashion that I've heard.

Cheers,

Simon.

Follow-Ups:
- Re: gss userauth
  - From: Markus Friedl
- Re: gss userauth
  - From: Joel N. Weber II

References:
- Re: gss userauth
  - From: Joel N. Weber II
- Re: gss userauth
  - From: Jeffrey Hutzelman

Prev by Date: Re: gss userauth
Next by Date: Re: gss userauth
Previous by Thread: Re: gss userauth
Next by Thread: Re: gss userauth
Indexes:

Home | Main Index | Thread Index | Old Index