Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch

Ben Lindstrom mouring at
Sat May 17 06:05:15 EST 2003

On Fri, 16 May 2003, Booker Bense wrote:

> On Fri, 16 May 2003, Markus Friedl wrote:
> > On Thu, May 15, 2003 at 12:19:09PM -0700, Booker Bense wrote:
> > > But
> > > the second IMHO is fatally flawed. You could argue that it's not
> > > neccessary given that the host is already authenticated via the
> > > TSL layer, but it's flaw that can be exploited. IMHO, checking
> > > the mutual authentication is a requirement when you also
> > > implement tgt forwarding.
> >
> > So we should add code that's 100 times as large just to have an
> > additional way to authenticate a server that's already authenticated?
> >
> - The GSSAPI patches do a lot more than that and you know it. If hit the nail on the head.  Can we say it a bit louder so
the people in the back row can here you? =)

> it were my realm, I would insist on it. The server is not
> authenticated via kerberos, the TLS layer is subject to
> "social engineering" MITM attacks. Kerberos mutual authentication
> is not. But hey, it's clear to me that no matter what I or
> anybody else says you are not going to do anything different.
> There is one question I would like answered.
> Is there any chance ever of the current GSSAPI patches ever
> being adopted? What would have to happen in order for the
> patches to be adopted?

"Under 1,000 lines of code..."

"A simple/reasonable subset of the GSSAPI specs."

That is what I've heard from Markus and others on the issue
publicly and privately.

> - The code is already effectively forked, there just isn't
> a lot of support structure around the GSSAPI fork. This issue
> is going to come up with every release, I think you should
> a least have a rational answer.

There "isn't a lot of support structure around <Insert unacceptable
patches from chroot to feature XYZZY>.  This issue is going to come up
with every release[..]"

For each one a reason has been given.  IF you don't agree.. That is fine,
but don't dismiss that a reason has been given.

- Ben

More information about the openssh-unix-dev mailing list