Re: gss userauth

To: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Subject: Re: gss userauth
From: "Joel N. Weber II" <ietf-secsh%joelweber.com@localhost>
Date: Tue, 02 Sep 2003 22:56:59 -0400

> Is there a list of GSS-API mechanisms that *don't* support integrity
> protection?  Could you please post it?

I believe that the SRP GSSAPI mechanism that I've seen an
internet-draft for but not an RFC doesn't do integrity protection, but
it does do some kind of key generation.  If you wanted to use that
mechanism as it is currently specified, you'd probably actually want
to either find some other GSSAPI mechanism that provides integrity
protection to use with it, or specify the use of that key generation
somehow.  Or perhaps the mechanism could be modified to provide
integrity somehow.

But I'm not aware of anyone ever having any actual intent to use
anything other than krb5 and gsi with ssh-gssapi.

(Also, while SASL and GSSAPI are different, many of the obvious SASL
mechanisms that don't do integrity are things for which there is
already an ssh userauth mechanism that does some approximation of the
same thing.)

Follow-Ups:
- Re: gss userauth
  - From: Nicolas Williams

References:
- Re: gss userauth
  - From: Jeffrey Hutzelman
- Re: gss userauth
  - From: Joel N. Weber II
- Re: gss userauth
  - From: Jeffrey Hutzelman
- Re: gss userauth
  - From: Markus Friedl
- Re: gss userauth
  - From: Nicolas Williams
- Re: gss userauth
  - From: Jeffrey Hutzelman
- Re: gss userauth
  - From: Nicolas Williams

Prev by Date: RE: gss userauth
Next by Date: Re: gss userauth
Previous by Thread: Re: gss userauth
Next by Thread: Re: gss userauth
Indexes:

Home | Main Index | Thread Index | Old Index