RE: Pending OpenSSH release: contains Kerberos/GSSAPI changes

[Jeffrey Hutzelman <jhutz%cmu.edu@localhost>]

(Just to pick nits...  Note that this is not yet an RFC.  Hopefully that 
will change sometime in the next few months, but at the moment it's still 
an internet-draft.)


On Friday, January 30, 2004 16:25:34 -0700 "Wachdorf, Daniel R" 
<drwachd%sandia.gov@localhost> wrote:

> 2 - RFC also allow for gss mechanisms that don't have GSSAPI integrity.
> Servers can then choose to disallow it. As far as I can tell from the
> code, any client which doesn't (or cant) have the GSS_C_INTEG_FLAG set
> cannot connect.  I can't test this because Kerberos-gssapi uses integrity.

This is legitimate behaviour.  See the last paragraph of section 3.6, at 
the top of page 15:

  It is a site policy descision for the server whether or not to permit
  authentication using GSSAPI mechanisms and/or contexts which do not
  support per-message integrity protection.  The server MAY fail the
  otherwise valid gssapi-with-mic authentication if per-message
  integrity protection is not supported.

Note the use of the word "MAY", which means "do whatever you want".  We 
actually expect that most server operators will want to accept 
gssapi-with-mic only in cases where integrity is supported,  There was a 
fairly length discussion of this issue on the ietf-ssh list last October or 
so.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+%cmu.edu@localhost>
  Sr. Research Systems Programmer
  School of Computer Science - Research Computing Facility
  Carnegie Mellon University - Pittsburgh, PA