Merging GSSAPI kex?

Peter Stuge peter at
Sat May 28 00:18:40 AEST 2022

It's one solution for key distribution, but surely not the only one
and possibly not the best one. Popular doesn't equal good.

James Ralston wrote:
> These data are compelling that including GSSAPI kex in OpenSSH will
> not weaken its overall security posture—especially if GSSAPI kex is
> not enabled by default.

Dunno about that. Empirical evidence can only ever show that there
was no problem in the past. I guess some serious security issue has
existed in some project ~10 years before getting fixed.

More code, more complexity, in one of the most sensitive code paths
is not great.

Maybe this is rarely a primary concern where AD is used. One could
certainly argue that it should be.

> Integrating the GSSAPI kex patch would only make it more useful to
> system administrators everywhere.

Only to systems administrators wanting to use the functionality.

For everyone else in the world, probably including OpenSSH maintainers,
it can only make life worse.


More information about the openssh-unix-dev mailing list