Re: gss userauth

To: Jeffrey Hutzelman <jhutz%cmu.edu@localhost>
Subject: Re: gss userauth
From: Markus Friedl <markus%openbsd.org@localhost>
Date: Tue, 2 Sep 2003 20:51:11 +0200

On Tue, Sep 02, 2003 at 02:14:31PM -0400, Jeffrey Hutzelman wrote:
> I'm also not convinced that it's better than what we already have.  The 
> only real improvement seems to be that it doesn't require using partial 
> authentication, which Markus finds distasteful.  I've yet to see any 
> argument as to _why_ using partial authentication is distasteful.

A server wants to enforce the use of a MIC, but has to offer "gssapi"
instead of "gssapi-mic" as a method.

Now all legacy clients can connect, they will choose "gssapi",
progress until the method succeeds partially.  But now they are
stuck since the server only offers "gssapi-mic", so the complete
"gssapi" is wasted.

If you have distinct methods, then the server initially offers only
"gssapi-mic".  Then legacy clients can connect and choose a different
method without problems.

However, if the server offers "gssapi", they will always choose
"gssapi", even if "gssapi" now means "gssapi"+"gssapi-mic".

Follow-Ups:
- Re: gss userauth
  - From: Nicolas Williams

References:
- Re: gss userauth
  - From: Jeffrey Hutzelman
- Re: gss userauth
  - From: Joel N. Weber II
- Re: gss userauth
  - From: Jeffrey Hutzelman

Prev by Date: Re: gss userauth
Next by Date: Re: gss userauth
Previous by Thread: Re: gss userauth
Next by Thread: Re: gss userauth
Indexes:

Home | Main Index | Thread Index | Old Index