--===============1028632123==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="x/TyKPcLwmKZr+b7"
Content-Disposition: inline


--x/TyKPcLwmKZr+b7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* Carson Gaspar (carson@taltos.org) wrote:
> Damien Miller wrote:
> > Yes - we are very scared of adding features that lead to more
> > pre-authentication attack surface, especially when they delegate to
> > complex libraries with patchy security histories.

>=20
> The risk of a pre-auth GSSAPI bug is far less than the nearly
> _impossible_ key management problem without it. Sun has integrated the
> patch. My employer is rolling it out, and is asking Red Hat to include
> it. At this point, _not_ incorporating it upstream is just leading to a
> de facto source code fork. I strongly suggest the maintainers reconsider
> their position.


I would tend to agree. The patch is also in Debian, and as such I
suspect a number of other places (Ubuntu, etc). Certainly if you're
aware of specific security issues with the patch there are alot of
people who would benefit from knowing what they are. If there aren't,
it would be great to have it included to minimize the risk of an issue
being found in the future and not being patched everywhere, or other
issues related to forking.

Thanks,

Stephen

--x/TyKPcLwmKZr+b7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHPQ1brzgMPqB3kigRAs5AAKCRacQq3ohu9/FOzTlPtCCFtM1DnQCfQqaX
blP6PUQNGsHlCIdXQ5SEAnI=
=gnL9
-----END PGP SIGNATURE-----

--x/TyKPcLwmKZr+b7--

--===============1028632123==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev

--===============1028632123==--