IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

RE: Pending OpenSSH release: contains Kerberos/GSSAPI changes



Well,

It could be a problem. If someone has implemented a client and doesn't do
mutual auth (as the standard says they should), they could be broken.  

The fix is easy.  Just remove:

(*flags & GSS_C_MUTUAL_FLAG) &&
            (*flags & GSS_C_INTEG_FLAG))

from the if statement.  

I have already tested this out, it works fine.  I will make a diff if
someone tells me what to base if off of.

-----Original Message-----
From: Sam Hartman [mailto:hartmans%mit.edu@localhost] 
Sent: Friday, January 30, 2004 3:54 PM
To: Ben Lindstrom
Cc: Wachdorf, Daniel R; 'Jeffrey Hutzelman'; krbdev%mit.edu@localhost;
ietf-ssh%NetBSD.org@localhost; kerberos%mit.edu@localhost; heimdal-discuss%sics.se@localhost; OpenSSH
Devel List
Subject: Re: Pending OpenSSH release: contains Kerberos/GSSAPI changes

>>>>> "Ben" == Ben Lindstrom <mouring%etoh.eviladmin.org@localhost> writes:

    Ben> I need someone to look at this and get back to us ASAP in
    Ben> regards to if this will break GSSAPI-WITH-MIC.

It may make some conforming clients break but does not create a
security problem.

Some client implementers may choose to introduce an extra round trip
(which is what setting the mutual required flag does) in order to
interoperate with OpenSsh if the code is released in the current
state.

Really, that's probably OK if it happens.

I'd class this as a minor conformance issue, but not a huge deal.





Home | Main Index | Thread Index | Old Index