> I've pointed out this to the authors privatly, so I'll repeat this
> publicly. I consider gss userauth to be broken since it doesn't
> verify the session id (using either mic or a channel bindings (like
> in CCM)).
>
> Love
This is currently being discussed on the ietf-ssh mailing list
(ietf-ssh at netbsd.org, archives at
ftp://ftp.ietf.org/ietf-mail-archive/secsh/), to which Love posted his
message on 8-22. (For those who don't know it, Love is one of the
Heimdal Kerberos developers (and recently the most active one) --
http://www.pdc.kth.se/heimdal/)
Even in the most recent "GSSAPI Authentication and Key Exchange for
the Secure Shell Protocol" draft
(http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-06.txt),
"gss userauth" doesn't "verify the session id". Nor
does Simon
Wilkinson's implementation of it.
Gss key exchange already does "verify the session id" (in the IETF
draft and in Simon's implementation), and there seems to be a
consensus that gss userauth should also -- possibly by using the same
method as gss key exchange (an extra message, which in the case of gss
userauth could be sent from the client to the server, and need not
require an extra round trip).
The public is already using an implementation of the current IETF
draft -- OpenSSH with Simon Wilkinson's patch. So whatever changes
the IETF Secure Shell working group makes need to be backwards
compatible -- on which there also seems to be a consensus.
Finally, despite what Love says, the gssapi protocol as used by gss
userauth already does provide mutual authentication between the client
and the server. It's just doesn't do it as neatly as gss key
exchange, and a copy of the server's public key still needs to be
stored on the client side.
Yes, gss key exchange handles mutual authentication better (though not
more securely) than gss userauth currently does. And OpenSSH should
eventually implement gss key exchange (and the new-and-improved gss
userauth, whenever that gets finalized). But I don't see any reason
why Darren Tucker's openssh-gssapi-port2.patch shouldn't go into
OpenSSH 3.7 as is.
Let's not make the best the enemy of the good :-)