Re: GSSAPI Key Exchange in sshd?

From: Stefan Lambrev <stefan.lambrev@xxxxxxxxxxxxxxxx>
Date: Thu, 20 Sep 2007 11:21:37 +0300

Hello,

Kevin Way wrote:

I'm curious if there are technical (or other) reasons that prevent FreeBSD from adding RFC 4462 (GSSAPI Key Exchange) support to sshd. The MIT Kerberos team first requested this four years ago, and implementation patches have been available for years at: http://www.sxw.org.uk/computing/patches/openssh.html

The author of those patches has offered (without much public response) to allow integration of the patches into the openssh source distribution, so I don't think licensing would be an issue.

This would be incredibly useful to me, as it'd remove the burden of site-wide ssh host key distribution.

I'm using openssh-portable from ports to do this. It is option there so you have a choice.
Unfortunately there is no patch available for the latest (4.7) openssh, so we have to wait little.

It was explained many times why you should use ports if you want customization for apps like heimdal, openssh and perl (in the past when it was built-in in the base system).
Also it is quite more easy to maintain updates, when you use ports version for this.
Why it is not part of openssh I can only guess, but I'm sure it involves security problems (just like HPN patch), and that's why it is not part of the source tree of openssh.

Regards,
Kevin Way
_______________________________________________
freebsd-hackers@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@xxxxxxxxxxx"

--

Best Wishes,
Stefan Lambrev
ICQ# 24134177

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Prev by Date: [Resolved] Found a way of allowing pam_ldap users (with pam_groupdn or pam_check_host_attr restrictions), AND allowing local root authentication, without pam_unix.so taking presense due to getpwent() returns ldap-users
Next by Date: OCF
Previous by thread: [Resolved] Found a way of allowing pam_ldap users (with pam_groupdn or pam_check_host_attr restrictions), AND allowing local root authentication, without pam_unix.so taking presense due to getpwent() returns ldap-users
Next by thread: OCF
Index(es):
- Date
- Thread

Relevant Pages

Re: GSSAPI Key Exchange in sshd?
... Kevin Way wrote: ... FreeBSD from adding RFC 4462 (GSSAPI Key Exchange) support to sshd. ... The author of those patches has offered to allow integration of the patches into the openssh source distribution, so I don't think licensing would be an issue. ...
(freebsd-hackers)
GSSAPI Key Exchange patches for OpenSSH 4.3p2
... These patches add support for performing GSSAPI key exchange to the ... OpenSSH client and server. ...
(comp.protocols.kerberos)
hostbased: key xxxx is disallowed - why?
... I'm trying to use hostbased authentication between two Suse 8.0/8.1 ... machines with OpenSSH (OpenSSH_3.4p1, patched with all Suse security ... patches). ...
(comp.security.ssh)
Re: updates and version numbers
... 4.9-RELEASE + security patches. ... It is quite possible that OpenSSH 3.7.x will be imported to 4-STABLE, ... If there are any security problems ... The last OpenSSH security advisory was ...
(freebsd-stable)
Upcoming OpenSSH vulnerability (fwd)
... Subject: Upcoming OpenSSH vulnerability ... Depending on what your system is, privsep may break some ssh ... work with your vendor so that we get patches to make it work on your ... You must call on your vendors to help us. ...
(FreeBSD-Security)