Merging GSSAPI kex?

Peter Stuge peter at stuge.se
Sat May 28 00:18:40 AEST 2022


It's one solution for key distribution, but surely not the only one
and possibly not the best one. Popular doesn't equal good.

James Ralston wrote:
> These data are compelling that including GSSAPI kex in OpenSSH will
> not weaken its overall security posture—especially if GSSAPI kex is
> not enabled by default.

Dunno about that. Empirical evidence can only ever show that there
was no problem in the past. I guess some serious security issue has
existed in some project ~10 years before getting fixed.

More code, more complexity, in one of the most sensitive code paths
is not great.

Maybe this is rarely a primary concern where AD is used. One could
certainly argue that it should be.


> Integrating the GSSAPI kex patch would only make it more useful to
> system administrators everywhere.

Only to systems administrators wanting to use the functionality.

For everyone else in the world, probably including OpenSSH maintainers,
it can only make life worse.


//Peter


More information about the openssh-unix-dev mailing list