Bug in Sam's OpenSSH patches?

Jeffrey Hutzelman jhutz at cmu.edu
Wed Apr 13 17:13:03 EDT 2005

On Wednesday, April 13, 2005 09:47:42 PM +0100 Simon Wilkinson 
<sxw at sxw.org.uk> wrote:

> Sam Hartman wrote:
>> Yes.  I needed something that supported gssapi-with-mic, and you
>> didn't have it on your site and were not responding to email so I went
>> ahead and implemented something.
> Sorry, I must have missed that mail. I have been somewhat tardy about
> uploading new versions of the OpenSSH patches - it took a while to
> untangle them again after merging the userauth code into OpenSSH.
>> If you have something more modern I should be using I'd be happy to
>> upgrade.
> I've finally got around to producing a patch set for 4.0p1. This both
> contains support for key-exchange, and adds support for the gssapi-keyex
> userauth mechanism (which avoids the double authentication steps that
> started this entire discussion!)
> http://www.sxw.org.uk/computing/patches/openssh-4.0p1-gssapikex.patch
> I've also uploaded the backwards compatibility patch that I posted to the
> OpenSSH list a while back - this adds an option to enable the old
> 'gssapi' mechanism, which is vulnerable to a MITM attack under certain
> circumstances. This is at
> http://www.sxw.org.uk/computing/patches/openssh-3.8p1-gssapimitm.patch

Thank you, Simon.  This work will let me (finally!) deploy code at my site 
that actually implements the draft I co-authored.

-- Jeff

More information about the krbdev mailing list