I'd prefer client MAY mutual auth rather than client SHOULD NOT mutual
auth.
If the server does not implement gss-keyex then a sufficiently clever
client can get some of the benefits of gss-keyex in some situations by
requesting mutual.
Kerberos
Daniel,
My personal belief is that its too late in this release cycle to make
this change. As the author of the GSSAPI code in OpenSSH, I completely
accept your comments - we're not (currently) RFC compliant. However, I'm
aware of a number of vendors who have successfully performed interop
PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; OpenSSH
Devel List
Subject: Re: Pending OpenSSH release: contains Kerberos/GSSAPI changes
Ben == Ben Lindstrom [EMAIL PROTECTED] writes:
Ben I need someone to look at this and get back to us ASAP in
Ben regards to if this will break GSSAPI
[mailto:[EMAIL PROTECTED]
Sent: Friday, January 30, 2004 4:11 PM
To: Wachdorf, Daniel R
Cc: 'Sam Hartman'; 'Jeffrey Hutzelman'; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]; OpenSSH Devel List
Subject: RE: Pending OpenSSH release: contains Kerberos/GSSAPI changes
On Friday, January 30, 2004 09:41:26 -0700 Wachdorf, Daniel R
[EMAIL PROTECTED] wrote:
The client sets this to true, not really a problem. Our modified f-secure
client does the same thing. However, if GSS_C_MUTUAL_FLAG is not set,
then the open ssh server rejects the connection. The following
; 'Darren Tucker'; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Cc: OpenSSH Devel List; [EMAIL PROTECTED]
Subject: RE: Pending OpenSSH release: contains Kerberos/GSSAPI changes
On Friday, January 30, 2004 09:41:26 -0700 Wachdorf, Daniel R
[EMAIL PROTECTED] wrote:
The client sets
Message-
From: Jeffrey Hutzelman [mailto:[EMAIL PROTECTED]
Sent: Friday, January 30, 2004 2:44 PM
To: Wachdorf, Daniel R; 'Darren Tucker'; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Cc: OpenSSH Devel List; [EMAIL PROTECTED]
Subject: RE: Pending OpenSSH release: contains Kerberos
-
From: Ben Lindstrom [mailto:[EMAIL PROTECTED]
Sent: Friday, January 30, 2004 3:47 PM
To: Wachdorf, Daniel R
Cc: 'Jeffrey Hutzelman'; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]; OpenSSH Devel List
Subject: RE: Pending OpenSSH release: contains Kerberos/GSSAPI
Ben == Ben Lindstrom [EMAIL PROTECTED] writes:
Ben I need someone to look at this and get back to us ASAP in
Ben regards to if this will break GSSAPI-WITH-MIC.
It may make some conforming clients break but does not create a
security problem.
Some client implementers may choose to
On Fri, 30 Jan 2004, Wachdorf, Daniel R wrote:
Well,
It could be a problem. If someone has implemented a client and doesn't do
^^
mutual auth (as the standard says they should), they could be broken.
, 2004 4:11 PM
To: Wachdorf, Daniel R
Cc: 'Sam Hartman'; 'Jeffrey Hutzelman'; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; OpenSSH
Devel List
Subject: RE: Pending OpenSSH release: contains Kerberos/GSSAPI changes
On Fri, 30 Jan 2004, Wachdorf, Daniel R wrote:
Well
(Just to pick nits... Note that this is not yet an RFC. Hopefully that
will change sometime in the next few months, but at the moment it's still
an internet-draft.)
On Friday, January 30, 2004 16:25:34 -0700 Wachdorf, Daniel R
[EMAIL PROTECTED] wrote:
2 - RFC also allow for gss mechanisms
-
From: Darren Tucker [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 21, 2004 6:46 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: OpenSSH Devel List
Subject: Pending OpenSSH release: contains Kerberos/GSSAPI changes
(I hope this message is appropriate for these lists
Henry B. Hotz [EMAIL PROTECTED] writes:
At 9:07 PM +0100 1/22/04, Harald Barth wrote:
I think that OpenSSL != OpenSSH.
Correct. I got the install order wrong. The right order is OpenSSL,
Heimdal, OpenSSH.
Harald.
OK, so how do you install OpenSSL with RFC 2712 support enabled?
build
In message [EMAIL PROTECTED] on Mon, 26 Jan 2004 10:03:01 +0100, Love [EMAIL
PROTECTED] said:
lha
lha Henry B. Hotz [EMAIL PROTECTED] writes:
lha
lha At 9:07 PM +0100 1/22/04, Harald Barth wrote:
lhaI think that OpenSSL != OpenSSH.
lha
lha Correct. I got the install order wrong. The
Changes in -Portable only
- (dtucker) Only enable KerberosGetAFSToken if Heimdal's libkafs
is found. with jakob@
I see a potential for circular depend confusion: I need OpenSSL
installed to get some libraries that Heimdal needs and I need Heimdal
installed to get some libraries
I think that OpenSSL != OpenSSH.
Correct. I got the install order wrong. The right order is OpenSSL,
Heimdal, OpenSSH.
Harald.
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
At 9:07 PM +0100 1/22/04, Harald Barth wrote:
I think that OpenSSL != OpenSSH.
Correct. I got the install order wrong. The right order is OpenSSL,
Heimdal, OpenSSH.
Harald.
OK, so how do you install OpenSSL with RFC 2712 support enabled?
--
The opinions expressed in this message are mine,
not
Harald Barth [EMAIL PROTECTED] writes:
I see a potential for circular depend confusion: I need OpenSSL
installed to get some libraries that Heimdal needs and I need
Heimdal installed to get some libraries that OpenSSL needs? Has
anyone tested this on a clean system?
I think that OpenSSL !=
On Thu, 2004-01-22 at 04:00, Harald Barth wrote:
Changes in -Portable only
- (dtucker) Only enable KerberosGetAFSToken if Heimdal's libkafs
is found. with jakob@
I see a potential for circular depend confusion: I need OpenSSL
installed to get some libraries that Heimdal needs
20 matches
Mail list logo