IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

RE: Pending OpenSSH release: contains Kerberos/GSSAPI changes



No.

1 - RFC states GSS_C_MUTUAL_FLAG SHOULD not be used.  The current open ssh
server requires that it be used.

2 - RFC also allow for gss mechanisms that don't have GSSAPI integrity.
Servers can then choose to disallow it. As far as I can tell from the code,
any client which doesn't (or cant) have the GSS_C_INTEG_FLAG set cannot
connect.  I can't test this because Kerberos-gssapi uses integrity.

-dan

-----Original Message-----
From: Ben Lindstrom [mailto:mouring%etoh.eviladmin.org@localhost] 
Sent: Friday, January 30, 2004 4:11 PM
To: Wachdorf, Daniel R
Cc: 'Sam Hartman'; 'Jeffrey Hutzelman'; krbdev%mit.edu@localhost; ietf-ssh%NetBSD.org@localhost;
kerberos%mit.edu@localhost; heimdal-discuss%sics.se@localhost; OpenSSH Devel List
Subject: RE: Pending OpenSSH release: contains Kerberos/GSSAPI changes



On Fri, 30 Jan 2004, Wachdorf, Daniel R wrote:

> Well,
>
> It could be a problem. If someone has implemented a client and doesn't do
								^^^^^^^^^^
> mutual auth (as the standard says they should), they could be broken.
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This right here is the key to me.  If someone is not following the RFC.
Then I say let them complaint to their vendor.

Again I ask.. As the code stands are *WE* in RFC compliance?  If not we
need it fixed.

As for what to base it off of.  Pick a recent snapshot.  Not as if the
GSSAPI-WITH-MIC code has drasticly changed in the last few days.

- Ben





Home | Main Index | Thread Index | Old Index