Having also spent time with the OpenSSH port to add Fido support we should just drop the hard-to-maintain variants is my view.
On Wed, Mar 16, 2022 at 3:54 PM Clemens Lang <[email protected]> wrote: > On Mon, Mar 14, 2022 at 10:14:05PM +0000, grey wrote: > > What do others think? Feedback is welcome! I didn't mean to harsh on > > Renee in the PR comments either, but Renee was pretty up front about > > not actually using the OpenSSH port, so I would mostly appreciate > > perspective from individuals who do actually use the OpenSSH port and > > have some "skin in the game" as the idiomatic expression goes. > > > > For the life of me, I can't really see much good coming from the > > +gsskex/GSSAPI variant, but I also do not presently administer any > > Kerberos related infrastructure at the moment (thankfully, if slightly > > tangentially, I also do not administer any yp related infrastructure > > these days anymore and can blissfully only recall them and their > > associated security holes with ypcat abuses as distant early 1990s > > memories now). > > As somebody who's done a few openssh Portfile updates in the past, the > gsskex and hpn patches have always been a pain, and I've been in favor > of dropping them before. Maybe now the time has finally come to get rid > of them. > > I happen to have access to a few Kerberos-enabled SSH servers, and can > report that the existing +kerberos5 variant is sufficient to allow > connecting using an existing kerberos ticket. > > The only benefits provided by the gsskex patch on top of that are: > - no trust on first use for the hostkey, since the server is > authenticated during the kerberos exchange > - credential delegation (basically SSH agent forwarding for Kerberos) > I believe people used to claim a speed advantage, but I'm not sure > that's a big reason anymore these days, considering ECDH is fast and > widely available. > > Other distributions [1] seem to still be shipping the patch, but they > may have more manpower to maintain it. I'll try to remember to ask the > authors of RFC 8732 for their opinion on this tomorrow. > > Overall, I'm in favor of dropping this. A kerberos corner case used by > very few people should not block us from applying security updates for > the majority of the users, but that is what has happened multiple times > now. Additionally, the patch does not provide a lot of additional value, > IMO, since kerberos auth still works without it. If somebody wants to > step up to maintain a copy of openssh with the gsskex patch, they can > submit a separate Portfile. > > [1]: > https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh.spec#_137 >
