Bugzilla – Bug 6911
drop support for external-keyx and gssapi methods in gsi_openssh-5.0
Last modified: 2010-03-22 13:27:01
You need to
before you can comment on or make changes to this bug.
GSI-OpenSSH has long included support for the "external-keyx" and "gssapi" user
authentication methods from draft-ietf-secsh-gsskeyex-06 and earlier, for
backward compatibility. Since draft-ietf-secsh-gsskeyex-07 (Mar 2004) leading
to RFC 4462 (May 2006), these methods have been superseded by the
"gssapi-keyex" and "gssapi-with-mic" methods which include a MIC (message
integrity check) to bind the GSSAPI context to the SSH session for protection
against MITM attacks.
Including support for these legacy methods adds complexity to the GSI-OpenSSH
codebase. Since it's been almost 6 years now, I think it's safe to drop support
for these legacy methods. Given that it's a protocol-level change, I propose
doing it in the v5.0 release.
We recently added support in GSI-SSHTerm
(http://sourceforge.net/projects/gsi-sshterm) for the RFC 4462 methods, which I
think removes the final requirement for backward compatibility.
I need to confirm that SecureNetTerm (http://www.securenetterm.com/) also has
support for the RFC 4462 methods.
(In reply to comment #0)
> I need to confirm that SecureNetTerm (http://www.securenetterm.com/) also has
> support for the RFC 4462 methods.
Kenneth Robinette confirms that SecureNetTerm supports gssapi-keyex and
gssapi-with-mic, so dropping the old methods shouldn't cause problems.
GSI-OpenSSH 5.0 released Mar 9 2010.