On Mon, Mar 14, 2022 at 10:14:05PM +0000, grey wrote: > What do others think? Feedback is welcome! I didn't mean to harsh on > Renee in the PR comments either, but Renee was pretty up front about > not actually using the OpenSSH port, so I would mostly appreciate > perspective from individuals who do actually use the OpenSSH port and > have some "skin in the game" as the idiomatic expression goes. > > For the life of me, I can't really see much good coming from the > +gsskex/GSSAPI variant, but I also do not presently administer any > Kerberos related infrastructure at the moment (thankfully, if slightly > tangentially, I also do not administer any yp related infrastructure > these days anymore and can blissfully only recall them and their > associated security holes with ypcat abuses as distant early 1990s > memories now).
As somebody who's done a few openssh Portfile updates in the past, the gsskex and hpn patches have always been a pain, and I've been in favor of dropping them before. Maybe now the time has finally come to get rid of them. I happen to have access to a few Kerberos-enabled SSH servers, and can report that the existing +kerberos5 variant is sufficient to allow connecting using an existing kerberos ticket. The only benefits provided by the gsskex patch on top of that are: - no trust on first use for the hostkey, since the server is authenticated during the kerberos exchange - credential delegation (basically SSH agent forwarding for Kerberos) I believe people used to claim a speed advantage, but I'm not sure that's a big reason anymore these days, considering ECDH is fast and widely available. Other distributions [1] seem to still be shipping the patch, but they may have more manpower to maintain it. I'll try to remember to ask the authors of RFC 8732 for their opinion on this tomorrow. Overall, I'm in favor of dropping this. A kerberos corner case used by very few people should not block us from applying security updates for the majority of the users, but that is what has happened multiple times now. Additionally, the patch does not provide a lot of additional value, IMO, since kerberos auth still works without it. If somebody wants to step up to maintain a copy of openssh with the gsskex patch, they can submit a separate Portfile. [1]: https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh.spec#_137
