GSSAPI support in 3.8 ?
Darren Tucker
dtucker at zip.com.au
Tue Mar 2 00:18:23 EST 2004
Kumaresh wrote:
>>From Changelog with 3.8:
> "The experimental "gssapi" support has been replaced with the
> "gssapi-with-mic" to fix possible MITM attacks.The two versions are not
> compatible."
>
> I am using OpenSSH-3.6 with Simon's patch and OpenSSH-3.7 built with GSSAPI
> support. The latest version OpenSSH-3.8 is not working with 3.6 or 3.7 with
> GSSAPI authentication. I have seen this in changelog, but my question is,
> can anybody explain briefly justifying this change in 3.8 and about MITM
> attacks?
I don't know much GSSAPI, but from what I recall it was because the
draft protocol standard has changed:
http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-07.txt
[quote]
11. Changes the last version
This section lists important changes since the previous version of
this internet-draft. This section should be removed at the time of
publication of this document as an RFC.
o Changed "gssapi" to "gssapi-with-mic", and added the description
and semantics of the SSH_MSG_USERAUTH_GSSAPI_MIC message.
[/quote]
> Because, I am afraid that in a large network that uses GSSAPI for
> authentication, the new OpenSSH has to be reinstalled on all the systems as
> the latest version is not compatible with older ones.
I had heard that Simon was going to provide a patch for backward
compatibility for one OpenSSH version. I'm not sure what the status of
that is.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list