SSH2 GSSAPI/KerberosV.
Ben Lindstrom
mouring at etoh.eviladmin.org
Thu Jul 31 06:16:35 EST 2003
On Wed, 30 Jul 2003, Booker Bense wrote:
> On Tue, 29 Jul 2003, Markus Friedl wrote:
>
> > On Mon, Jul 28, 2003 at 06:32:04PM -0700, Booker Bense wrote:
> > > - What needs to be done? Last I read you were only going to
> > > implement GSSAPI auth and not credential forwarding. This will
> >
> > so GSS API user authentication does not include credential forwarding?
> > too bad. then why does it need so much code?
>
> - Simon's patches implement this. You've said time and time again
> that you won't accept them regardless of what I or anyone else
> does on this list. All you would accept would be a GSSAPI
> authentication only implementation.
>
Sounds like a damn good place to start if Markus says that is what will be
accepted. Large multi-feature patches are harder to verify as being
sanely coded and clean of all "edge cases". I have no doubts Simon's
codes is good, but it is the potental corner cases that bother us all.
> > I don't see a line by line audit of the patches or a stripped
> > down version. I just see long emails.
> >
>
> - What do you want stripped out? What would be an acceptable
> audit? RATS ? or what.... BTW, this is the first time I've ever
> seen you or anybody else in the SSH team request an audit of
> Simon's patches.
>
If you are asking what is acceptable for auditing, then I suspect you are
not a good person to do it. Automated tools don't catch corner cases.
They surely don't find the "Protocol FOO expected XYZ, but we sent them
XYZZY and thus it crashes." In fact 'RATS' spews more junk then valid
warnings. Don't get me wrong.. some automated tools may be useful for
catching some class of issues, but they tend to be in the minority of the
warning messages.
As for auditing request, Markus has said from *DAY ONE* that he would like
to see someone else that understand KRB (Be it MIT group or qualified
developers) audit it to ensure it is correct. This is *NOT* the first
time. And claiming "oh we have run it, and it works" is not auditing.
Frankly, I think we have pretty well laid out on the table what people
should do. And I'm tired of seeing people bitch, moan and whine. Either
hunker down and produce the patch or expect the topic to be ignored in the
future.
- Ben
More information about the openssh-unix-dev
mailing list