Re: gss userauth

To: Markus Friedl <markus%openbsd.org@localhost>
Subject: Re: gss userauth
From: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Date: Tue, 2 Sep 2003 15:13:32 -0700

I find this convincing.

On Tue, Sep 02, 2003 at 08:51:11PM +0200, Markus Friedl wrote:
> On Tue, Sep 02, 2003 at 02:14:31PM -0400, Jeffrey Hutzelman wrote:
> > I'm also not convinced that it's better than what we already have.  The
> > only real improvement seems to be that it doesn't require using partial
> > authentication, which Markus finds distasteful.  I've yet to see any
> > argument as to _why_ using partial authentication is distasteful.
> 
> A server wants to enforce the use of a MIC, but has to offer "gssapi"
> instead of "gssapi-mic" as a method.
> 
> Now all legacy clients can connect, they will choose "gssapi",
> progress until the method succeeds partially.  But now they are
> stuck since the server only offers "gssapi-mic", so the complete
> "gssapi" is wasted.
> 
> If you have distinct methods, then the server initially offers only
> "gssapi-mic".  Then legacy clients can connect and choose a different
> method without problems.
> 
> However, if the server offers "gssapi", they will always choose
> "gssapi", even if "gssapi" now means "gssapi"+"gssapi-mic".
>

Follow-Ups:
- Re: gss userauth
  - From: Jeffrey Hutzelman

References:
- Re: gss userauth
  - From: Jeffrey Hutzelman
- Re: gss userauth
  - From: Joel N. Weber II
- Re: gss userauth
  - From: Jeffrey Hutzelman
- Re: gss userauth
  - From: Markus Friedl

Prev by Date: Re: gss userauth
Next by Date: Re: gss userauth
Previous by Thread: Re: gss userauth
Next by Thread: Re: gss userauth
Indexes:

Home | Main Index | Thread Index | Old Index