On Jan 26, 2005, at 10:48 AM, Love wrote:

> IMO kerberos 5 support as implemented my ssh.com or the openssh version
> where both not very useful since they didn't bind the ssh connection 
> to the
> kerberos authentication, and thus opened up the user to tunneling
> attack. Also there wasn't a mode specified for host authentication (ie 
> a
> SSH-KEX). Basicly Kerberos was used as a glorified OTP protocol.

...something that server-side PAM for password authentication would 
take care of.

> gss-mech is real progress, however, in OpenSSH, the GSS-KEX was never
> adopted. So we still have to deal with this "please enter yes" 
> stupidness.

Well, presumably we should fix that in the version that NetBSD uses.

-- thorpej