IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: gss userauth



> "Integrity MUST be specified as an input to gss_init_sec_context().
> If the resulting context supports integrity, the output of
> gss_getMic on <some data> must be included.  Otherwise the
> "mic" string MUST be empty.
>
> It is a site policy descision for the server whether or not
> to accept for authentication gss mechanisms that do not
> support integrity.  The server MAY fail the otherwise valid
> gssapi-with-mic authentication if integrity is not supported.

I like the general idea behind this proposal.

The only concern I have is that the language ought to specify that if
you're supporting some mechanisms that do integrity and some that
don't, you should not force the site policy to turn off the mic for
the mechanisms that do support integrity.  I'm not sure if gssapi
gives you a better way to do this than allowing this to be configured
on a per-mechanism basis.






Home | Main Index | Thread Index | Old Index