Garrett Wollman wrote:<<On Wed, 25 Feb 2004 00:02:31 +0000 (GMT), [EMAIL PROTECTED] said:
Also note that gssapi-with-mic is incompatible with the 'gssapi' userauth authentication method in 3.7, and earlier in my patches. There is also no support for GSSAPI key exchange.
So those of us who depend on this are still stuck with 3.6p1?
You're stuck with patched 3.6p1 until such time as patches are made available for 3.8 :-) These are being worked on, but time is in short supply at present. Note that the I-D has changed since the patches for 3.6p1, and a new method of verifying the key exchange is now used (the previous method was vulnerable to MITM attacks)
Huh? There are no known problems with the GSSAPI-based key exchange methods, and there hasn't been any change in some time. The gss-group1-sha1-* kex methods are the same as before.
There _is_ a change related to obtaining user authentication as a side-effect of GSSAPI-based key exchange. Originally this was done using the 'external-keyex' userauth method, which was indeed subject to certain kinds of mitm attacks. Because of this weakenss, this method should not ever be enabled. The new way to obtain this functionality is to use the 'gssapi-keyex' method, which does not suffer from this problem.
Note that GSSAPI-based key exchange is entirely usable without the external-keyex or gssapi-keyex userauth methods. Having a version of OpenSSH which supports both gss-group1-sha1-* and gssapi-with-mic would be a big step forward, even if it does not also support "gssapi-keyex"
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA
_______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
