GSSAPI Key Exchange Patch

Carson Gaspar carson at
Fri Nov 16 14:09:16 EST 2007

Damien Miller wrote:

> Yes - we are very scared of adding features that lead to more
> pre-authentication attack surface, especially when they delegate to
> complex libraries with patchy security histories.

The risk of a pre-auth GSSAPI bug is far less than the nearly
_impossible_ key management problem without it. Sun has integrated the
patch. My employer is rolling it out, and is asking Red Hat to include
it. At this point, _not_ incorporating it upstream is just leading to a
de facto source code fork. I strongly suggest the maintainers reconsider
their position.


More information about the openssh-unix-dev mailing list