GSSAPI
Coy Hile
coy.hile at coyhile.com
Fri Jul 18 11:01:47 EST 2014
On Jul 17, 2014, at 7:59 PM, Damien Miller <djm at mindrot.org> wrote:
> On Thu, 17 Jul 2014, Douglas E Engert wrote:
>
>> I too am personally baffled why OpenSSH does not include the patch.
>
> We don't trust the attack surface the Kerberos/GSSAPI provides.
What’s your justification for that? I don’t see a larger attack surface in a kerberized environment compared to the wild west. In fact, I see a lesser attack surface in a purely kerberized environment (unless the host happens to be on the border) because you know everyone connecting has either already been authenticated by the KDC or will promptly get dropped on the floor.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2251 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140717/b1e2da69/attachment.bin>
More information about the openssh-unix-dev
mailing list