GSSAPI Key Exchange Patch

[Douglas E. Engert]

One final more on de facto source splits. Not only does Solaris
10 and Debian have gss key exchange, there is at least one version
of PuTTY with it too:

http://rc.quest.com/topics/putty

This is listed on
http://www.chiark.greenend.org.uk/~sgtatham/putty/links.html

It comes with source and the diffs against PuTTY 0.60.
But it looks like it uses the SSPI rather then the MIT KfW
or either.

Douglas E. Engert wrote:
> 
> Stephen Frost wrote:
>> * Carson Gaspar (carson at taltos.org) wrote:
>>> Damien Miller wrote:
>>>> Yes - we are very scared of adding features that lead to more
>>>> pre-authentication attack surface, especially when they delegate to
>>>> complex libraries with patchy security histories.
>>> The risk of a pre-auth GSSAPI bug is far less than the nearly
>>> _impossible_ key management problem without it. Sun has integrated the
>>> patch. My employer is rolling it out, and is asking Red Hat to include
>>> it. At this point, _not_ incorporating it upstream is just leading to a
>>> de facto source code fork. I strongly suggest the maintainers reconsider
>>> their position.
> 
> 
> I too agree with the previous responses. We have gotten away from
> building OpenSSH in favor of using the vendor's versions. Solaris 10
> and Ubuntu are used widely here and both have gssapi-keyex and work well
> togther. The option is on be default in Solaris 10 so anyone
> uses Kerberos and ssh on Solaris 10 is using gssapi-keyex.
> 
> Looks like you already have a de facto source split. It would be nice
> to get things back in sync.
> 
>> 	Thanks,
>>
>> 		Stephen
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444