On 1106765327 seconds since the Beginning of the UNIX epoch
Love wrote:
>

>IMO kerberos 5 support as implemented my ssh.com or the openssh version
>where both not very useful since they didn't bind the ssh connection to the
>kerberos authentication, and thus opened up the user to tunneling
>attack. Also there wasn't a mode specified for host authentication (ie a
>SSH-KEX). Basicly Kerberos was used as a glorified OTP protocol.

The Kerberos 5 support is definitely suboptimal---but I still think
that we should add them back in (late in the chain) to provide a
migration strategy for people who want to use gss-mech.

>gss-mech is real progress, however, in OpenSSH, the GSS-KEX was never
>adopted. So we still have to deal with this "please enter yes" stupidness.

Is there some problem with GSS-KEX?  If not, why don't we just
plonk it into our ssh?  I've been using it at home and it is quite
liberating to not have to deal with ssh's aenemic key handling.

--
    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/