From owner-freebsd-security@FreeBSD.ORG Thu Sep 20 08:41:36 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B24EE16A417 for ; Thu, 20 Sep 2007 08:41:36 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: from blah.sun-fish.com (blah.sun-fish.com [217.18.249.150]) by mx1.freebsd.org (Postfix) with ESMTP id 56C9513C4A7 for ; Thu, 20 Sep 2007 08:41:36 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: by blah.sun-fish.com (Postfix, from userid 1002) id E6A6E1B10EE2; Thu, 20 Sep 2007 10:21:47 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on blah.cmotd.com X-Spam-Level: X-Spam-Status: No, score=-104.4 required=5.0 tests=ALL_TRUSTED,BAYES_00, USER_IN_WHITELIST autolearn=ham version=3.2.3 Received: from hater.cmotd.com (hater.cmotd.com [192.168.3.125]) by blah.sun-fish.com (Postfix) with ESMTP id 9AAE51B10EE0; Thu, 20 Sep 2007 10:21:37 +0200 (CEST) Message-ID: <46F22D91.9070104@moneybookers.com> Date: Thu, 20 Sep 2007 11:21:37 +0300 From: Stefan Lambrev User-Agent: Thunderbird 2.0.0.6 (X11/20070831) MIME-Version: 1.0 To: Kevin Way References: In-Reply-To: Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.91.2/4347/Wed Sep 19 23:01:10 2007 on blah.cmotd.com X-Virus-Status: Clean X-Mailman-Approved-At: Thu, 20 Sep 2007 09:21:51 +0000 Cc: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: GSSAPI Key Exchange in sshd? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2007 08:41:36 -0000 Hello, Kevin Way wrote: > I'm curious if there are technical (or other) reasons that prevent > FreeBSD from adding RFC 4462 (GSSAPI Key Exchange) support to sshd. > The MIT Kerberos team first requested this four years ago, and > implementation patches have been available for years at: > http://www.sxw.org.uk/computing/patches/openssh.html > > The author of those patches has offered (without much public response) > to allow integration of the patches into the openssh source > distribution, so I don't think licensing would be an issue. > > This would be incredibly useful to me, as it'd remove the burden of > site-wide ssh host key distribution. I'm using openssh-portable from ports to do this. It is option there so you have a choice. Unfortunately there is no patch available for the latest (4.7) openssh, so we have to wait little. It was explained many times why you should use ports if you want customization for apps like heimdal, openssh and perl (in the past when it was built-in in the base system). Also it is quite more easy to maintain updates, when you use ports version for this. Why it is not part of openssh I can only guess, but I'm sure it involves security problems (just like HPN patch), and that's why it is not part of the source tree of openssh. > > Regards, > Kevin Way > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to > "freebsd-hackers-unsubscribe@freebsd.org" -- Best Wishes, Stefan Lambrev ICQ# 24134177