Bug in Sam's OpenSSH patches?
Simon Wilkinson
sxw at sxw.org.uk
Wed Apr 13 16:47:42 EDT 2005
Sam Hartman wrote:
> Yes. I needed something that supported gssapi-with-mic, and you
> didn't have it on your site and were not responding to email so I went
> ahead and implemented something.
Sorry, I must have missed that mail. I have been somewhat tardy about
uploading new versions of the OpenSSH patches - it took a while to
untangle them again after merging the userauth code into OpenSSH.
> If you have something more modern I should be using I'd be happy to
> upgrade.
I've finally got around to producing a patch set for 4.0p1. This both
contains support for key-exchange, and adds support for the gssapi-keyex
userauth mechanism (which avoids the double authentication steps that
started this entire discussion!)
http://www.sxw.org.uk/computing/patches/openssh-4.0p1-gssapikex.patch
I've also uploaded the backwards compatibility patch that I posted to
the OpenSSH list a while back - this adds an option to enable the old
'gssapi' mechanism, which is vulnerable to a MITM attack under certain
circumstances. This is at
http://www.sxw.org.uk/computing/patches/openssh-3.8p1-gssapimitm.patch
Cheers,
Simon.
More information about the krbdev
mailing list