On Tue, Jun 08, 2004 at 09:21:38AM -0600, Stephen Smoogen wrote: > On Tue, 2004-06-08 at 06:35, Build System wrote: > > openssh-3.8.1p1-1 > > ----------------- > > * Mon Jun 07 2004 Nalin Dahyabhai <nalin@xxxxxxxxxx> 3.8.1p1-1 > > > > - request gssapi-with-mic by default but not delegation (flag day for anyone > > who used previous gssapi patches) > > That will be us. Nalin, are you putting in the > 'backwards-compatible-patch' that Simon posted? I am at the other end of > a 28.8 modem today so I cant look at the source easily :(. It's in the .src.rpm, but not applied (see line 221 in the spec file). Once applied, you'll need to set "GssapiEnableMitmAttack yes" (no, I'm not making that up) in the sshd_config to enable it at run-time. I thought about applying it in general, but reasoned that not applying a backwards-compatibility patch for a patch which we didn't originally apply was more consistent -- that way the code most users run is as affected (or not) by it as they were before. That's not set in stone, though. > Also do you know what is left out from Simons original patches to the > new ones? I am needing to know this for a larger deployment when this > gets rolled into RHEL where we have been distributing 3.6 with older > patches. I know that the OpenSSH 3.8 series contains some parts of the > patches but not all until there is enough requests or someone pays Simon > to do the rest :). The gssapi-with-mic support is authentication only AFAIK. So no gssapi key exchange, which you may miss if you had gotten used to not having to accept (or even create) ssh host public keys. The credential forwarding works well. > > - no longer request x11 forwarding by default > > Will the Xsecurity extensions be looked at in the future. I couldn't say. I hope so. HTH, Nalin