GSSAPI Key Exchange Patch

Douglas E. Engert deengert at
Thu Nov 29 04:06:52 EST 2007

One final more on de facto source splits. Not only does Solaris
10 and Debian have gss key exchange, there is at least one version
of PuTTY with it too:

This is listed on

It comes with source and the diffs against PuTTY 0.60.
But it looks like it uses the SSPI rather then the MIT KfW
or either.

Douglas E. Engert wrote:
> Stephen Frost wrote:
>> * Carson Gaspar (carson at wrote:
>>> Damien Miller wrote:
>>>> Yes - we are very scared of adding features that lead to more
>>>> pre-authentication attack surface, especially when they delegate to
>>>> complex libraries with patchy security histories.
>>> The risk of a pre-auth GSSAPI bug is far less than the nearly
>>> _impossible_ key management problem without it. Sun has integrated the
>>> patch. My employer is rolling it out, and is asking Red Hat to include
>>> it. At this point, _not_ incorporating it upstream is just leading to a
>>> de facto source code fork. I strongly suggest the maintainers reconsider
>>> their position.
> I too agree with the previous responses. We have gotten away from
> building OpenSSH in favor of using the vendor's versions. Solaris 10
> and Ubuntu are used widely here and both have gssapi-keyex and work well
> togther. The option is on be default in Solaris 10 so anyone
> uses Kerberos and ssh on Solaris 10 is using gssapi-keyex.
> Looks like you already have a de facto source split. It would be nice
> to get things back in sync.
>> 	Thanks,
>> 		Stephen
>> ------------------------------------------------------------------------
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list