Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch

Booker Bense bbense at SLAC.Stanford.EDU
Sat May 17 05:54:07 EST 2003

On Fri, 16 May 2003, Markus Friedl wrote:

> On Thu, May 15, 2003 at 12:19:09PM -0700, Booker Bense wrote:
> > But
> > the second IMHO is fatally flawed. You could argue that it's not
> > neccessary given that the host is already authenticated via the
> > TSL layer, but it's flaw that can be exploited. IMHO, checking
> > the mutual authentication is a requirement when you also
> > implement tgt forwarding.
> So we should add code that's 100 times as large just to have an
> additional way to authenticate a server that's already authenticated?

- The GSSAPI patches do a lot more than that and you know it. If
it were my realm, I would insist on it. The server is not
authenticated via kerberos, the TLS layer is subject to
"social engineering" MITM attacks. Kerberos mutual authentication
is not. But hey, it's clear to me that no matter what I or
anybody else says you are not going to do anything different.
There is one question I would like answered.

Is there any chance ever of the current GSSAPI patches ever
being adopted? What would have to happen in order for the
patches to be adopted?

- The code is already effectively forked, there just isn't
a lot of support structure around the GSSAPI fork. This issue
is going to come up with every release, I think you should
a least have a rational answer.

_ Booker C. Bense

More information about the openssh-unix-dev mailing list