Re: GSSAPI Key Exchange Patch
One final more on de facto source splits. Not only does Solaris
10 and Debian have gss key exchange, there is at least one version
of PuTTY with it too:
This is listed on
It comes with source and the diffs against PuTTY 0.60.
But it looks like it uses the SSPI rather then the MIT KfW
Douglas E. Engert wrote:[color=blue]
> Stephen Frost wrote:[color=green]
>> * Carson Gaspar (firstname.lastname@example.org) wrote:[color=darkred]
>>> Damien Miller wrote:
>>>> Yes - we are very scared of adding features that lead to more
>>>> pre-authentication attack surface, especially when they delegate to
>>>> complex libraries with patchy security histories.
>>> The risk of a pre-auth GSSAPI bug is far less than the nearly
>>> _impossible_ key management problem without it. Sun has integrated the
>>> patch. My employer is rolling it out, and is asking Red Hat to include
>>> it. At this point, _not_ incorporating it upstream is just leading to a
>>> de facto source code fork. I strongly suggest the maintainers reconsider
>>> their position.[/color][/color]
> I too agree with the previous responses. We have gotten away from
> building OpenSSH in favor of using the vendor's versions. Solaris 10
> and Ubuntu are used widely here and both have gssapi-keyex and work well
> togther. The option is on be default in Solaris 10 so anyone
> uses Kerberos and ssh on Solaris 10 is using gssapi-keyex.
> Looks like you already have a de facto source split. It would be nice
> to get things back in sync.
>> openssh-unix-dev mailing list
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
openssh-unix-dev mailing list