On Tue, 2004-06-08 at 11:34, Nalin Dahyabhai wrote: > On Tue, Jun 08, 2004 at 09:21:38AM -0600, Stephen Smoogen wrote: > > On Tue, 2004-06-08 at 06:35, Build System wrote: > > > openssh-3.8.1p1-1 > > > ----------------- > > > * Mon Jun 07 2004 Nalin Dahyabhai <nalin@xxxxxxxxxx> 3.8.1p1-1 > > > > > > - request gssapi-with-mic by default but not delegation (flag day for anyone > > > who used previous gssapi patches) > > > > That will be us. Nalin, are you putting in the > > 'backwards-compatible-patch' that Simon posted? I am at the other end of > > a 28.8 modem today so I cant look at the source easily :(. > > It's in the .src.rpm, but not applied (see line 221 in the spec file). > Once applied, you'll need to set "GssapiEnableMitmAttack yes" (no, I'm > not making that up) in the sshd_config to enable it at run-time. > > I thought about applying it in general, but reasoned that not applying a > backwards-compatibility patch for a patch which we didn't originally > apply was more consistent -- that way the code most users run is as > affected (or not) by it as they were before. That's not set in stone, > though. I agree.. I do know that several of the labs we work with use the GSSAPI patch in one shape or another.. so just having it there is good enough for most of us as we are making our own rebuilds but have to show that it is from 'upstream' > > > Also do you know what is left out from Simons original patches to the > > new ones? I am needing to know this for a larger deployment when this > > gets rolled into RHEL where we have been distributing 3.6 with older > > patches. I know that the OpenSSH 3.8 series contains some parts of the > > patches but not all until there is enough requests or someone pays Simon > > to do the rest :). > > The gssapi-with-mic support is authentication only AFAIK. So no gssapi > key exchange, which you may miss if you had gotten used to not having to > accept (or even create) ssh host public keys. The credential forwarding > works well. > ah ok. that is where I was fuzzy on where gssapi key exchange came into play. It is where the kerberos server authenticates the client to the server and server to client? Getting the credential forwarding is actually the big issue for most of the scientists. > > > - no longer request x11 forwarding by default > > > > Will the Xsecurity extensions be looked at in the future. > > I couldn't say. I hope so. > > HTH, > > Nalin -- Stephen John Smoogen smoogen@xxxxxxxx Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- Please, I have had too much of the stupid today. Please wait until -- tomorrow to say these things so my tolerance has refreshed.