GSSAPI support in 3.8 ?

Darren Tucker dtucker at zip.com.au
Tue Mar 2 00:18:23 EST 2004


Kumaresh wrote:
>>From Changelog with 3.8:
> "The experimental "gssapi" support has been replaced with the
> "gssapi-with-mic" to fix possible MITM attacks.The two versions are not
> compatible."
> 
> I am using OpenSSH-3.6 with Simon's patch and OpenSSH-3.7 built with GSSAPI
> support. The latest version OpenSSH-3.8 is not working with 3.6 or 3.7 with
> GSSAPI authentication. I have seen this in changelog, but my question is,
> can anybody explain briefly justifying this change in 3.8 and about MITM
> attacks? 

I don't know much GSSAPI, but from what I recall it was because the 
draft protocol standard has changed:
http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-07.txt

[quote]
11. Changes the last version

    This section lists important changes since the previous version of
    this internet-draft.  This section should be removed at the time of
    publication of this document as an RFC.

    o  Changed "gssapi" to "gssapi-with-mic", and added the description
       and semantics of the SSH_MSG_USERAUTH_GSSAPI_MIC message.
[/quote]

> Because, I am afraid that in a large network that uses GSSAPI for
> authentication, the new OpenSSH has to be reinstalled on all the systems as
> the latest version is not compatible with older ones.

I had heard that Simon was going to provide a patch for backward 
compatibility for one OpenSSH version.  I'm not sure what the status of 
that is.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list