IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
RE: Pending OpenSSH release: contains Kerberos/GSSAPI changes
(Just to pick nits... Note that this is not yet an RFC. Hopefully that
will change sometime in the next few months, but at the moment it's still
an internet-draft.)
On Friday, January 30, 2004 16:25:34 -0700 "Wachdorf, Daniel R"
<drwachd%sandia.gov@localhost> wrote:
2 - RFC also allow for gss mechanisms that don't have GSSAPI integrity.
Servers can then choose to disallow it. As far as I can tell from the
code, any client which doesn't (or cant) have the GSS_C_INTEG_FLAG set
cannot connect. I can't test this because Kerberos-gssapi uses integrity.
This is legitimate behaviour. See the last paragraph of section 3.6, at
the top of page 15:
It is a site policy descision for the server whether or not to permit
authentication using GSSAPI mechanisms and/or contexts which do not
support per-message integrity protection. The server MAY fail the
otherwise valid gssapi-with-mic authentication if per-message
integrity protection is not supported.
Note the use of the word "MAY", which means "do whatever you want". We
actually expect that most server operators will want to accept
gssapi-with-mic only in cases where integrity is supported, There was a
fairly length discussion of this issue on the ietf-ssh list last October or
so.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+%cmu.edu@localhost>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
Home |
Main Index |
Thread Index |
Old Index