It's one solution for key distribution, but surely not the only one and possibly not the best one. Popular doesn't equal good. James Ralston wrote: > These data are compelling that including GSSAPI kex in OpenSSH will > not weaken its overall security posture—especially if GSSAPI kex is > not enabled by default. Dunno about that. Empirical evidence can only ever show that there was no problem in the past. I guess some serious security issue has existed in some project ~10 years before getting fixed. More code, more complexity, in one of the most sensitive code paths is not great. Maybe this is rarely a primary concern where AD is used. One could certainly argue that it should be. > Integrating the GSSAPI kex patch would only make it more useful to > system administrators everywhere. Only to systems administrators wanting to use the functionality. For everyone else in the world, probably including OpenSSH maintainers, it can only make life worse. //Peter _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
