GSSAPI Key Exchange Patch

Douglas E. Engert deengert at
Sat Nov 17 06:20:09 EST 2007

Stephen Frost wrote:
> * Carson Gaspar (carson at wrote:
>> Damien Miller wrote:
>>> Yes - we are very scared of adding features that lead to more
>>> pre-authentication attack surface, especially when they delegate to
>>> complex libraries with patchy security histories.
>> The risk of a pre-auth GSSAPI bug is far less than the nearly
>> _impossible_ key management problem without it. Sun has integrated the
>> patch. My employer is rolling it out, and is asking Red Hat to include
>> it. At this point, _not_ incorporating it upstream is just leading to a
>> de facto source code fork. I strongly suggest the maintainers reconsider
>> their position.

I too agree with the previous responses. We have gotten away from
building OpenSSH in favor of using the vendor's versions. Solaris 10
and Ubuntu are used widely here and both have gssapi-keyex and work well
togther. The option is on be default in Solaris 10 so anyone
uses Kerberos and ssh on Solaris 10 is using gssapi-keyex.

Looks like you already have a de facto source split. It would be nice
to get things back in sync.

> 	Thanks,
> 		Stephen
> ------------------------------------------------------------------------
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list