openssh unix dev - Sep 2005 - Incorrect description of GSSAPI vulnerability in 4.2 release note.

The 4.2 release notes describes the GSSAPI credential delegating issue as:

     SECURITY: sshd in OpenSSH versions prior to 4.2 allow GSSAPI
     credentials to be delegated to users who log in with methods
     other than GSSAPI authentication (e.g. public key) when the
     client requests it. This behaviour has been changed in OpenSSH
     4.2 to only delegate credentials to users who authenticate
     using the GSSAPI method.

This description significantly overstates the actual nature of the 
problem.

The issue only occurs when a user succesfully performs GSSAPI 
userauth against a host, and then is rejected by local policy. When the 
connection falls back to an alternate authentication scheme, the 
credentials established through this GSSAPI connection were still being 
made available.

In any version of OpenSSH you cannot get GSSAPI credentials delegated 
without using GSSAPI authentication.

Cheers,

Simon.