--=-=-=


Greg Troxel <gdt@ir.bbn.com> writes:

> Do they claim the direct krb5 support has a security problem, or is
> this just "progress"?   Having both supported in our version sounds
> like a good plan.

IMO kerberos 5 support as implemented my ssh.com or the openssh version
where both not very useful since they didn't bind the ssh connection to the
kerberos authentication, and thus opened up the user to tunneling
attack. Also there wasn't a mode specified for host authentication (ie a
SSH-KEX). Basicly Kerberos was used as a glorified OTP protocol.

gss-mech is real progress, however, in OpenSSH, the GSS-KEX was never
adopted. So we still have to deal with this "please enter yes" stupidness.

Love


--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (NetBSD)

iQIVAwUAQffmIRZyDLTSep3UAQLoGRAApIoEqpHFMviwDqwLClnBMSE49YfZlc0j
pwt1Bv4/D/PHEnaRqQhbpiog564Ijv8O5CbJ/8dbP0tvP9NzRreRrDBQ09dw5YtV
xMbeJgN0YwAZ9gm6wGgBI+waYrPjNOqT2bRq+jC+71J7waVqHTggFmZKnQbrYdMM
8OSjUGnnprUdq07xe7KcnWHIvaxcQo4T8PN/Jdlc/YJecWT3IQxhCwM6A1alHyi4
kXWLpY88L2tOOT01K4v+XDkCLuF0NBR31lCC6w+f0zJfoJ+9XXUjvcc9gK1JyDtv
88U8/wpjgEHBhgPYQihdds9m8mVj9aikBtjhPy0gyfEMXnmPd/58Ke+H8y9TtLZR
Lo3VcM5PlO0o0OeHpqnTVKzWXiBEeeXBymo/gFlN9u0AJzIfzotqECtlvEVEmb+S
6sh/fdgDr6rTiPAOSUdUflmgbjQc+DRjjRoZM0oH2xyfMxhHjOnuoEDfywD32i7f
mhzBqw53MC4k2nnUWsUPXOfjXJBDivdoPJkReWnDP9+rREa1zmF17pkCg4YOL9ZF
fzoYfJt7WRdvXc5bGHPOh41QcF6BbFHw9peZGSpLzw7KQP7E3x9bTrpG8t7QwhRS
8FeCavTpVnmAmeLltzohfVDUscJ1zqUDgHOKgLQC/PyGVVqC1NgG7lvVw0ItCCMr
jHw97w7Wogo=
=Ds3r
-----END PGP SIGNATURE-----
--=-=-=--