Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch
Ben Lindstrom
mouring at etoh.eviladmin.org
Sat May 17 06:05:15 EST 2003
On Fri, 16 May 2003, Booker Bense wrote:
> On Fri, 16 May 2003, Markus Friedl wrote:
>
> > On Thu, May 15, 2003 at 12:19:09PM -0700, Booker Bense wrote:
> > > But
> > > the second IMHO is fatally flawed. You could argue that it's not
> > > neccessary given that the host is already authenticated via the
> > > TSL layer, but it's flaw that can be exploited. IMHO, checking
> > > the mutual authentication is a requirement when you also
> > > implement tgt forwarding.
> >
> > So we should add code that's 100 times as large just to have an
> > additional way to authenticate a server that's already authenticated?
> >
>
> - The GSSAPI patches do a lot more than that and you know it. If
Bingo..you hit the nail on the head. Can we say it a bit louder so
the people in the back row can here you? =)
> it were my realm, I would insist on it. The server is not
> authenticated via kerberos, the TLS layer is subject to
> "social engineering" MITM attacks. Kerberos mutual authentication
> is not. But hey, it's clear to me that no matter what I or
> anybody else says you are not going to do anything different.
> There is one question I would like answered.
>
> Is there any chance ever of the current GSSAPI patches ever
> being adopted? What would have to happen in order for the
> patches to be adopted?
>
"Under 1,000 lines of code..."
"A simple/reasonable subset of the GSSAPI specs."
That is what I've heard from Markus and others on the issue
publicly and privately.
> - The code is already effectively forked, there just isn't
> a lot of support structure around the GSSAPI fork. This issue
> is going to come up with every release, I think you should
> a least have a rational answer.
>
There "isn't a lot of support structure around <Insert unacceptable
patches from chroot to feature XYZZY>. This issue is going to come up
with every release[..]"
For each one a reason has been given. IF you don't agree.. That is fine,
but don't dismiss that a reason has been given.
- Ben
More information about the openssh-unix-dev
mailing list