First Last Prev Next    No search results available
Bug 6911 - drop support for external-keyx and gssapi methods in gsi_openssh-5.0
: drop support for external-keyx and gssapi methods in gsi_openssh-5.0
Status: RESOLVED FIXED
: GSI-OpenSSH
GSI-OpenSSH
: 4.7
: All All
: P3 enhancement
: ---
Assigned To:
: http://dev.globus.org/wiki/GSI-OpenSS...
:
:
:
  Show dependency treegraph
 
Reported: 2010-01-04 14:39 by
Modified: 2010-03-22 13:27 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)


Note

You need to log in before you can comment on or make changes to this bug.

Description From 2010-01-04 14:39:02 
GSI-OpenSSH has long included support for the "external-keyx" and "gssapi" user
authentication methods from draft-ietf-secsh-gsskeyex-06 and earlier, for
backward compatibility. Since draft-ietf-secsh-gsskeyex-07 (Mar 2004) leading
to RFC 4462 (May 2006), these methods have been superseded by the
"gssapi-keyex" and "gssapi-with-mic" methods which include a MIC (message
integrity check) to bind the GSSAPI context to the SSH session for protection
against MITM attacks.

Including support for these legacy methods adds complexity to the GSI-OpenSSH
codebase. Since it's been almost 6 years now, I think it's safe to drop support
for these legacy methods. Given that it's a protocol-level change, I propose
doing it in the v5.0 release.

We recently added support in GSI-SSHTerm
(http://sourceforge.net/projects/gsi-sshterm) for the RFC 4462 methods, which I
think removes the final requirement for backward compatibility.

I need to confirm that SecureNetTerm (http://www.securenetterm.com/) also has
support for the RFC 4462 methods.
------- Comment #1 From 2010-01-04 15:16:43 ------- 
(In reply to comment #0)
> I need to confirm that SecureNetTerm (http://www.securenetterm.com/) also has
> support for the RFC 4462 methods.

Kenneth Robinette confirms that SecureNetTerm supports gssapi-keyex and
gssapi-with-mic, so dropping the old methods shouldn't cause problems.
------- Comment #2 From 2010-03-22 13:27:01 ------- 
GSI-OpenSSH 5.0 released Mar 9 2010.
First Last Prev Next    No search results available