empty user name in gsskeyex

To: ietf-ssh%netbsd.org@localhost
Subject: empty user name in gsskeyex
From: David Leonard <David.Leonard%quest.com@localhost>
Date: Sat, 08 Apr 2006 22:38:53 +1000

I have some concerns with this under-discussed paragraph in gsskeyex-10

 The user name may be an empty string if it can be deduced from the
 results of the GSSAPI authentication. If the user name is not empty,
 and the requested user does not exist, the server MAY disconnect, or
 MAY send a bogus list of acceptable authentications but never accept
 any.  This makes it possible for the server to avoid disclosing
 information about which accounts exist.  In any case, if the user
 does not exist, the authentication request MUST NOT be accepted.

The first sentence mentions a server capability (deducing user nameswhen passed as blank) the status of which isn't clearly described. Ifthe feature isn't useful enough to be included properly, then thatsentence should just be deleted.

I think that deducing user names /is/ a convenient feature, so I insteadsuggest that the first sentence be replaced with:


 If the user name is an empty string, the server MAY deduce the user
 name from the results of the GSSAPI authentication.

And a corresponding provision should also be added to the gssapi-keyexmethod section (i.e. repeat the above sentence for keyex)

This is a pretty useful feature for users in my view. But I am worriedthat it has too many problems. The current GSSAPI does not provide a wayto portably deduce an account name from credentials. (I'm thinking aboutquerying credentials to get a GSS_C_NT_USER_NAME name). Maybe one day itwill? But for now, a server must talk magic to its favourite mechanisms.In short, the feature encourages non-standard implementation. Thatsounds bad to me.

I also noticed an interoperability problem. A good client, not providedwith a username, will try the empty-username first, and if it fails,assume the server is old and try to deduce a username itself. However,openssh servers prohibit a client from changing the username duringauthentication. The server immediately disconnects. Is that cause forconcern?

In short, I don't know if permitting user name deduction is such a greatidea with the problems it may cause. But, it would certainly be nice tohave.


David Leonard

Follow-Ups:
- Re: empty user name in gsskeyex
  - From: Nicolas Williams
- Re: empty user name in gsskeyex
  - From: Jeffrey Hutzelman

Prev by Date: Re: AUTH48 [AH]: RFC 4462 <draft-ietf-secsh-gsskeyex-10.txt> NOW AVAILABLE (fwd)
Next by Date: Re: empty user name in gsskeyex
Previous by Thread: RE: AUTH48 [AH]: RFC 4462 <draft-ietf-secsh-gsskeyex-10.txt> NOW AVAILABLE (fwd)
Next by Thread: Re: empty user name in gsskeyex
Indexes:

Home | Main Index | Thread Index | Old Index