| Summary: | GSSAPI Keyexchange support | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Simon Wilkinson <simon> | ||||||
| Component: | Kerberos support | Assignee: | Assigned to nobody <unassigned-bugs> | ||||||
| Status: | CLOSED WONTFIX | ||||||||
| Severity: | enhancement | CC: | abo, djm, haba, hotz, sconeu, t8m | ||||||
| Priority: | P2 | ||||||||
| Version: | -current | ||||||||
| Hardware: | All | ||||||||
| OS: | All | ||||||||
| Bug Depends on: | |||||||||
| Bug Blocks: | 1369 | ||||||||
| Attachments: |
|
||||||||
|
Description
Simon Wilkinson
2006-10-03 04:13:00 AEST
Created attachment 1195 [details]
Patch to add GSSAPI Key Exchange support
At our institution machines are SA'd by many, many organizations and there is simply no way to coordinate a useful known_hosts file. OTOH we have a nicely centralized Kerberos infrastructure so widespread use of these patches solves the problem nicely. Since these patches are already included in most OS's, it would be nice for the community to converge OpenSSH and RedHat with the rest of the community. It would reduce our overhead in supporting the few odd exceptions. Any chance getting this into 4.9? I would also like to see this patch mainstreamed. Is there any chance to get some definitive yes/no on this feature from OpenSSH developers? (preferably with some reasoning) Created attachment 1664 [details]
Patch to add GSSAPI Key Exchange support
This updates this patch to OpenSSH 5.2p1, and includes some minor fixes suggested by Greg Hudson during a code review he did for the MIT Kerberos Consortium.
None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources. Mass move of bugs RESOLVED->CLOSED following the release of openssh-5.5p1 |