From owner-freebsd-security@freebsd.org Sun Jan 24 14:18:52 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7E1529C2D9F; Sun, 24 Jan 2016 14:18:52 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3DD0424E; Sun, 24 Jan 2016 14:18:52 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1aNLVA-0009p4-18; Sun, 24 Jan 2016 17:18:48 +0300 Date: Sun, 24 Jan 2016 17:18:47 +0300 From: Slawa Olhovchenkov To: Dag-Erling =?utf-8?B?U23DuHJncmF2?= Cc: freebsd-current@freebsd.org, freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: HPN and None options in OpenSSH Message-ID: <20160124141847.GM37895@zxy.spb.ru> References: <86mvrxvg79.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86mvrxvg79.fsf@desk.des.no> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jan 2016 14:18:52 -0000 On Fri, Jan 22, 2016 at 03:31:22PM +0100, Dag-Erling Smørgrav wrote: > The HPN and None cipher patches have been removed from FreeBSD-CURRENT. > I intend to remove them from FreeBSD-STABLE this weekend. Can you do some small discurs about ssh+kerberos? I am try to use FreeBSD with $HOME over kerberoized NFS. For kerberoized NFS gssd need to find cache file "called /tmp/krb5cc_, where is the effective uid for the RPC caller" (from `man gssd`). sshd contrary create cache file for received ticket called /tmp/krb5cc_XXXXXXX (random string, created by krb5_cc_new_unique). Is this strong security requirement or [FreeBSD/upstream] can be patched (or introduce option) to use /tmp/krb5cc_ as cache file for received ticket?