I was thinking about the recent problems with the GSSAPI kex patch, and I wonder if it would be best to merge GSSAPI kex into OpenSSH upstream. My (admittedly dated) understanding is that the patch is of high quality, and that the concerns are instead about the GSSAPI implementation in use. However, I believe this is a non-issue for most environments where GSSAPI kex would be useful: if someone can find an RCE in the GSSAPI implementation, there are bigger problems (like compromised domain controllers). To avoid increasing the attack surface when GSSAPI is not in use, I recommend having it off by default at both build-time and run-time. The OpenBSD version would of course ship with it disabled (no GSSAPI implementation in base), though there might be a package that ships with it enabled. Most Linux distributions would ship with it included in the build, but not enabled via sshd.conf. In this configuration, I would expect there to be no drawbacks other than a slightly increased binary size. I also believe that the additional attack surface would be little greater than GSSAPI authentication, which OpenSSH already supports. -- Sincerely, Demi Marie Obenour (she/her/hers)
Attachment:
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
