Re: gss userauth

To: Simon Wilkinson <sxw%inf.ed.ac.uk@localhost>
Subject: Re: gss userauth
From: "Joel N. Weber II" <ietf-secsh%joelweber.com@localhost>
Date: Tue, 02 Sep 2003 16:35:23 -0400

> If messages become overloaded, it becomes necessary for the application to 
> keep track of the context in which those messages have occured (is this a 
> gssapi, or a gssapi-mic message) for the entire exchange.

Doesn't this happen with privsep already, in a different sense?

In the openssh implementation, this is probably what
authctxt->methoddata is for...

> The 'missing' support for partial authentication requires about 3 lines of
> code to add to satisfy the needs of the proposed text.

Looking at the code, I don't see how you can do that with 3 lines in a
non-hackish fashion, but shrug.  I haven't seen your patch, and I'm
not sure that it's anywhere that I can see it.

> The gssapi-mic 
> mechanism works equally well without partial authentication
> support. 

It does work fine, as I've observed, but it also violates the spec
Jeff is writing, unless what you're wrote is sufficiently ambiguous
that we're thinking about two different things.

References:
- Re: gss userauth
  - From: Joel N. Weber II
- Re: gss userauth
  - From: Jeffrey Hutzelman
- Re: gss userauth
  - From: Simon Wilkinson

Prev by Date: Re: gss userauth
Next by Date: Re: gss userauth
Previous by Thread: Re: gss userauth
Next by Thread: Re: gss userauth
Indexes:

Home | Main Index | Thread Index | Old Index