Merging GSSAPI kex?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


I was thinking about the recent problems with the GSSAPI kex patch,
and I wonder if it would be best to merge GSSAPI kex into OpenSSH
upstream.  My (admittedly dated) understanding is that the patch is
of high quality, and that the concerns are instead about the GSSAPI
implementation in use.  However, I believe this is a non-issue for
most environments where GSSAPI kex would be useful: if someone can
find an RCE in the GSSAPI implementation, there are bigger problems
(like compromised domain controllers).

To avoid increasing the attack surface when GSSAPI is not in use,
I recommend having it off by default at both build-time and run-time.
The OpenBSD version would of course ship with it disabled (no GSSAPI
implementation in base), though there might be a package that
ships with it enabled.  Most Linux distributions would ship with
it included in the build, but not enabled via sshd.conf.  In this
configuration, I would expect there to be no drawbacks other than a
slightly increased binary size.  I also believe that the additional
attack surface would be little greater than GSSAPI authentication,
which OpenSSH already supports.
Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

openssh-unix-dev mailing list

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux