GSSAPI Re: OpenSSH 3.8.1p1: call for testing
sxw at inf.ed.ac.uk
sxw at inf.ed.ac.uk
Fri Apr 16 05:52:36 EST 2004
On Tue, 13 Apr 2004, Stephen Smoogen wrote:
> I have a quick question for GSSAPI implementation (which is more aimed
> at Simon and other people and not the core :)). What is the functional
> difference between the current GSSAPI implementation and the one that
> was with 3.6p2 with Simons patch?
They're not compatible :-(
3.6p2 with my patches implements the user authentication mechanisms
'gssapi' and 'external-keyex'. Both of these are now deprecated, and
aren't included in the current SSH GSSAPI internet draft. In addition,
patched 3.6p2 implements GSSAPI key exchange, which isn't supported by
vanilla 3.8. I intend on releasing patches for 3.8 implementing key
exchange just as soon as I have enough time.
3.8 implements the 'gssapi-with-mic' authentication mechanism. This is
identical to the 'gssapi' mechanism of patched 3.6, with the exception
that it uses a MIC to tie the negotiated GSSAPI authentication context
to the underlying SSH session. This additional step is necessary to
prevent certain MITM attacks.
I posted a patch to this list a while back which adds backwards
compatibility support for 'gssapi' userauth mechanisms to 3.8.
Cheers,
Simon.
More information about the openssh-unix-dev
mailing list