[5568] in Release_7.7_team
Fwd: [Macosx-release] Security Update 2006-004 breaks ssh to Athena
daemon@ATHENA.MIT.EDU (William Cattey)
Wed Aug 9 15:15:00 2006
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <7FEAB1C9-1C15-4FD3-822F-96433A8D033A@mit.edu>
Content-Transfer-Encoding: 7bit
From: William Cattey <wdc@MIT.EDU>
Date: Wed, 9 Aug 2006 15:14:42 -0400
To: release-team@mit.edu
X-Spam-Score: 1.217
X-Spam-Level: * (1.217)
X-Spam-Flag: NO
So MacOS has updated SSH to require gssapi-with-mic by default.
I am forwarding this to Release Team as additional indication that
supporting
sshd with gssapi-with-mic is a good thing.
Perhaps it's not necessary for me to continue to push this case
inasmuch as stock RedHat sshd seems to have gssapi-with-mic, if I'm
remembering correctly. Nevertheless, I thought it might be useful to
let Release Team know of another impact of this.
-wdc
Begin forwarded message:
> From: Jonathan Reed <jdreed@MIT.EDU>
> Date: August 9, 2006 1:52:23 PM EDT
> To: macosx-release@mit.edu
> Subject: [Macosx-release] Security Update 2006-004 breaks ssh to
> Athena
>
> We should probably notify people of this before they start installing
> it...
>
>
> Security Update 2006-004 includes a patch to OpenSSH. From
> discussions with other users and my own verification, it looks like
> they did not backport the patch to do gssapi authentication, which
> Athena uses. Instead, it only supports the newer gssapi-with-mic
> authentication mechanism, which Athena does not support.
>
> Thus, if people are used to obtaining Kerberos tickets and then
> ssh'ing to Athena without typing their password, they will no longer
> be able to do that after taking this security update.
>
> I have no idea if Apple plans to fix this, but I'd be surprised if
> they did, since the old gssapi authentication mechanism is considered
> deprecated at this point.
>
>
> -Jon
> _______________________________________________
> Macosx-release mailing list
> Macosx-release@mit.edu
> http://mailman.mit.edu/mailman/listinfo/macosx-release
