[26896] in Athena Bugs
Re: Athena ssh too old
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jul 17 13:04:40 2006
From: Greg Hudson <ghudson@mit.edu>
To: Timothy G Abbott <tabbott@mit.edu>
In-Reply-To: <Pine.LNX.4.62L.0607161420450.28547@yaz-pistachio.mit.edu>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Date: Mon, 17 Jul 2006 13:04:18 -0400
Message-Id: <1153155858.29624.32.camel@cage-2.mit.edu>
Mime-Version: 1.0
X-Spam-Score: 3.548
X-Spam-Level: *** (3.548)
X-Spam-Flag: NO
Cc: bugs@mit.edu, scripts@mit.edu
Errors-To: bugs-bounces@mit.edu
On Sun, 2006-07-16 at 14:27 -0400, Timothy G Abbott wrote:
> The scripts.mit.edu project worked around this problem by compiling its
> own copy of openssh 4.3p2 for Athena. However, it would be nice if the root
> problem of Athena running an ssh with a known security problem were to be
> fixed.
As best I understand it, the security issue associated with gssapi
(without mic) is that it provides no better stream protection than
password authentication--which is to say, ssh protects the stream using
only the host key, which isn't secure against a man-in-the-middle attack
unless the client is using a secure out-of-band means to retrieve the
host public key. I haven't been able to find any description of a more
serious security flaw.
For interoperability reasons, it would be very nice to see an Athena ssh
supporting both gssapi and gssapi-with-mic in the not too distant
future. I am hoping to get the Athena release out of the business of
building openssh in the next full release, and the stock Red Hat openssh
(RHEL 4 or Fedora) only supports gssapi-with-mic as far as I can tell.
So, thanks for bringing this issue to our attention. Unfortunately, I
can't promise a particular time frame for updating the Athena openssh
code base.
