Pending OpenSSH release: contains Kerberos/GSSAPI changes
Jeffrey Hutzelman
jhutz at cmu.edu
Fri Jan 30 22:08:42 EST 2004
(Just to pick nits... Note that this is not yet an RFC. Hopefully that
will change sometime in the next few months, but at the moment it's still
an internet-draft.)
On Friday, January 30, 2004 16:25:34 -0700 "Wachdorf, Daniel R"
<drwachd at sandia.gov> wrote:
> 2 - RFC also allow for gss mechanisms that don't have GSSAPI integrity.
> Servers can then choose to disallow it. As far as I can tell from the
> code, any client which doesn't (or cant) have the GSS_C_INTEG_FLAG set
> cannot connect. I can't test this because Kerberos-gssapi uses integrity.
This is legitimate behaviour. See the last paragraph of section 3.6, at
the top of page 15:
It is a site policy descision for the server whether or not to permit
authentication using GSSAPI mechanisms and/or contexts which do not
support per-message integrity protection. The server MAY fail the
otherwise valid gssapi-with-mic authentication if per-message
integrity protection is not supported.
Note the use of the word "MAY", which means "do whatever you want". We
actually expect that most server operators will want to accept
gssapi-with-mic only in cases where integrity is supported, There was a
fairly length discussion of this issue on the ietf-ssh list last October or
so.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos
mailing list