Pending OpenSSH release: contains Kerberos/GSSAPI changes
Wachdorf, Daniel R
drwachd at sandia.gov
Fri Jan 30 11:41:26 EST 2004
Darren,
I have been doing some testing and I noticed a problem with the server
implementation of GSSAPI authentication within the open ssh snapshot
(openssh-SNAP-20040124.tar.gz).
The draft (draft-ietf-secsh-gsskeyex-07) states:
Since the user authentication process by its nature authenticates
only the client, the setting of the mutual_req_flag is not needed for
this process. This flag SHOULD be set to "false".
The client sets this to true, not really a problem. Our modified f-secure
client does the same thing. However, if GSS_C_MUTUAL_FLAG is not set, then
the open ssh server rejects the connection. The following line of code
(from gss-serv.c):
/* Now, if we're complete and we have the right flags, then
* we flag the user as also having been authenticated
*/
if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) &&
(*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE))
{
if (ssh_gssapi_getclient(ctx, &gssapi_client))
fatal("Couldn't convert client name");
}
This requires the client to set GSS_C_MUTUAL, which conflicts with the
draft.
-dan
-----Original Message-----
From: Darren Tucker [mailto:dtucker at zip.com.au]
Sent: Wednesday, January 21, 2004 6:46 PM
To: kerberos at mit.edu; krbdev at mit.edu; heimdal-discuss at sics.se
Cc: OpenSSH Devel List
Subject: Pending OpenSSH release: contains Kerberos/GSSAPI changes
(I hope this message is appropriate for these lists. If not, please
tell me and I won't do it again.)
Hi All.
There will be a new release of OpenSSH in a couple of weeks. This
release contains Kerberos and GSSAPI related changes that we would like
to get some feedback about (and hopefully address any issues with)
before the release.
I encourage anyone with an interest in Kerberos/GSSAPI support in
OpenSSH to try a snapshot [1] and send feedback.
Changes in OpenBSD's OpenSSH and -Portable:
- markus at cvs.openbsd.org 2003/11/17 11:06:07
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson;
test + ok jakob.
- jakob at cvs.openbsd.org 2003/12/23 16:12:10
implement KerberosGetAFSToken server option. ok markus@, beck@
- markus at cvs.openbsd.org 2003/11/02 11:01:03
remove support for SSH_BUG_GSSAPI_BER; simon at sxw.org.uk
Changes in -Portable only
- (dtucker) Only enable KerberosGetAFSToken if Heimdal's libkafs
is found. with jakob@
- (dtucker) [configure.ac] Use krb5-config where available for
Kerberos/GSSAPI detection, libs and includes. ok djm@
Additionally, as a side effect of the last change, the test for libkafs
is now independant of the Heimdal test, so should a version that works
with MIT Kerberos be available it will be used.
All but the last are in the 20040122 snapshot, and the last will be in
20040123 and up.
Please follow-up to the OpenSSH devel list (cc: the Kerberos lists if
you consider it appropriate).
[1] ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ or
one of the mirrors listed at http://openssh.com/portable.html#mirrors
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
krbdev mailing list krbdev at mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
More information about the Kerberos
mailing list