GSSAPI Key Exchange Patch
Stephen Frost
sfrost at snowman.net
Fri Nov 16 14:24:11 EST 2007
* Carson Gaspar (carson at taltos.org) wrote:
> Damien Miller wrote:
> > Yes - we are very scared of adding features that lead to more
> > pre-authentication attack surface, especially when they delegate to
> > complex libraries with patchy security histories.
>
> The risk of a pre-auth GSSAPI bug is far less than the nearly
> _impossible_ key management problem without it. Sun has integrated the
> patch. My employer is rolling it out, and is asking Red Hat to include
> it. At this point, _not_ incorporating it upstream is just leading to a
> de facto source code fork. I strongly suggest the maintainers reconsider
> their position.
I would tend to agree. The patch is also in Debian, and as such I
suspect a number of other places (Ubuntu, etc). Certainly if you're
aware of specific security issues with the patch there are alot of
people who would benefit from knowing what they are. If there aren't,
it would be great to have it included to minimize the risk of an issue
being found in the future and not being patched everywhere, or other
issues related to forking.
Thanks,
Stephen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20071115/60d3f7f2/attachment.bin
More information about the openssh-unix-dev
mailing list