Pending OpenSSH release: contains Kerberos/GSSAPI changes
Nicolas Williams
Nicolas.Williams at sun.com
Fri Jan 30 17:48:25 EST 2004
On Fri, Jan 30, 2004 at 04:43:51PM -0500, Jeffrey Hutzelman wrote:
> Indeed, it does. The server is not supposed to check the state of the
> mutual_flag of a context accepted for gssapi-with-mic user auth. I know
> the draft is not entirely clear on this point; would it help if there were
> text indicating the server MUST NOT do this?
For completeness' sake, yes. The client (SHOULD NOT | MAY) set
GSS_C_MUTUAL for gssapi-with-mic, but the server MUST ignore the state
of the GSS_C_MUTUAL flag for gssapi-with-mic.
> Also, I've not actually read this code, other than what's quoted above, but
> I hope that's not the only place that flags are checked. I'm assuming the
> openssh code actually implements -07 and 'gssapi-with-mic'. In the new
> method, the client's final message is either SSM_MSG_USERAUTH_GSSAPI_MIC or
> SSH_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, depending entirely on whether
> GSS_C_INTEG_FLAG is set. The server is REQUIRED to fail the authentication
> if the client sends the wrong message; this means the value of
> GSS_C_INTEG_FLAG must be tested.
Right. Further, the text should say that the server MAY always reject
SSH_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE since there's no generic
interface for determining whether a context doesn't have the GSS_C_INTEG
flag set because the client left it off or because the mechanism doesn't
support GSS_C_INTEG.
Nico
--
More information about the Kerberos
mailing list