Will Simon Wilkinson's GSSAPI Key Exchange patch ever be incorporated into the OpenSSH source? http://www.sxw.org.uk/computing/patches/openssh.html I'm sure I'm not the only one that uses it and would like to see it become part of the OpenSSH source. Is there something missing or is there some technical/philosophical reason for not including it?
All, * petesea at bigfoot.com (petesea at bigfoot.com) wrote:> http://www.sxw.org.uk/computing/patches/openssh.html > > I'm sure I'm not the only one that uses it and would like to see it become > part of the OpenSSH source. Is there something missing or is there some > technical/philosophical reason for not including it?We'd also like to see it incorporated. It's unfortunate that it continues to be an ordeal to get proper GSSAPI support for OpenSSH even with all of Simon's hard work. I havn't been following the IETF/RFC draft process lately but I thought getting that finalized, including GSSAPI server auth, was the remaining hoop GSSAPI and Kerberos supporters had to jump through to get this incorporated upstream (and I thought people were working on it, but it does seem like it's been quite a while now..). Certainly one thing we're thankful for is that Debian has Simon's patch incorporated, and has for quite some time now. I suppose, sadly, that it's probably one of the reasons people havn't been more vocal about getting it incorporated upstream. In fact, looking back, it was incorporated in the September 14th, 2005 upload to Debian of version 1:4.2p1-2, and Colin credited me for asking for it in the changelog. :) Thanks, Stephen -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20071115/8326abb4/attachment.bin
Damien Miller wrote:> Yes - we are very scared of adding features that lead to more > pre-authentication attack surface, especially when they delegate to > complex libraries with patchy security histories.The risk of a pre-auth GSSAPI bug is far less than the nearly _impossible_ key management problem without it. Sun has integrated the patch. My employer is rolling it out, and is asking Red Hat to include it. At this point, _not_ incorporating it upstream is just leading to a de facto source code fork. I strongly suggest the maintainers reconsider their position. -- Carson
On Thu, 15 Nov 2007, petesea at bigfoot.com wrote:> Will Simon Wilkinson's GSSAPI Key Exchange patch ever be incorporated into > the OpenSSH source?As far as I know, none of the current core OpenSSH developers are in favour of adding it.> http://www.sxw.org.uk/computing/patches/openssh.html > > I'm sure I'm not the only one that uses it and would like to see it become > part of the OpenSSH source. Is there something missing or is there some > technical/philosophical reason for not including it?Yes - we are very scared of adding features that lead to more pre-authentication attack surface, especially when they delegate to complex libraries with patchy security histories. -d