Damien Miller wrote:

> Yes - we are very scared of adding features that lead to more
> pre-authentication attack surface, especially when they delegate to
> complex libraries with patchy security histories.


The risk of a pre-auth GSSAPI bug is far less than the nearly
_impossible_ key management problem without it. Sun has integrated the
patch. My employer is rolling it out, and is asking Red Hat to include
it. At this point, _not_ incorporating it upstream is just leading to a
de facto source code fork. I strongly suggest the maintainers reconsider
their position.

--
Carson
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev