Merging GSSAPI kex?
Peter Stuge
peter at stuge.se
Sat May 28 00:18:40 AEST 2022
It's one solution for key distribution, but surely not the only one
and possibly not the best one. Popular doesn't equal good.
James Ralston wrote:
> These data are compelling that including GSSAPI kex in OpenSSH will
> not weaken its overall security posture—especially if GSSAPI kex is
> not enabled by default.
Dunno about that. Empirical evidence can only ever show that there
was no problem in the past. I guess some serious security issue has
existed in some project ~10 years before getting fixed.
More code, more complexity, in one of the most sensitive code paths
is not great.
Maybe this is rarely a primary concern where AD is used. One could
certainly argue that it should be.
> Integrating the GSSAPI kex patch would only make it more useful to
> system administrators everywhere.
Only to systems administrators wanting to use the functionality.
For everyone else in the world, probably including OpenSSH maintainers,
it can only make life worse.
//Peter
More information about the openssh-unix-dev
mailing list