sxw at inf.ed.ac.uk
2005-Sep-21 10:20 UTC
Incorrect description of GSSAPI vulnerability in 4.2 release note.
The 4.2 release notes describes the GSSAPI credential delegating issue as: SECURITY: sshd in OpenSSH versions prior to 4.2 allow GSSAPI credentials to be delegated to users who log in with methods other than GSSAPI authentication (e.g. public key) when the client requests it. This behaviour has been changed in OpenSSH 4.2 to only delegate credentials to users who authenticate using the GSSAPI method. This description significantly overstates the actual nature of the problem. The issue only occurs when a user succesfully performs GSSAPI userauth against a host, and then is rejected by local policy. When the connection falls back to an alternate authentication scheme, the credentials established through this GSSAPI connection were still being made available. In any version of OpenSSH you cannot get GSSAPI credentials delegated without using GSSAPI authentication. Cheers, Simon.