Bug in Sam's OpenSSH patches?
Jeffrey Hutzelman
jhutz at cmu.edu
Wed Apr 13 17:13:03 EDT 2005
On Wednesday, April 13, 2005 09:47:42 PM +0100 Simon Wilkinson
<sxw at sxw.org.uk> wrote:
> Sam Hartman wrote:
>
>> Yes. I needed something that supported gssapi-with-mic, and you
>> didn't have it on your site and were not responding to email so I went
>> ahead and implemented something.
>
> Sorry, I must have missed that mail. I have been somewhat tardy about
> uploading new versions of the OpenSSH patches - it took a while to
> untangle them again after merging the userauth code into OpenSSH.
>
>> If you have something more modern I should be using I'd be happy to
>> upgrade.
>
> I've finally got around to producing a patch set for 4.0p1. This both
> contains support for key-exchange, and adds support for the gssapi-keyex
> userauth mechanism (which avoids the double authentication steps that
> started this entire discussion!)
>
> http://www.sxw.org.uk/computing/patches/openssh-4.0p1-gssapikex.patch
>
> I've also uploaded the backwards compatibility patch that I posted to the
> OpenSSH list a while back - this adds an option to enable the old
> 'gssapi' mechanism, which is vulnerable to a MITM attack under certain
> circumstances. This is at
>
> http://www.sxw.org.uk/computing/patches/openssh-3.8p1-gssapimitm.patch
Thank you, Simon. This work will let me (finally!) deploy code at my site
that actually implements the draft I co-authored.
-- Jeff
More information about the krbdev
mailing list