On Friday, January 30, 2004 16:25:34 -0700 "Wachdorf, Daniel R" <[EMAIL PROTECTED]> wrote:
2 - RFC also allow for gss mechanisms that don't have GSSAPI integrity. Servers can then choose to disallow it. As far as I can tell from the code, any client which doesn't (or cant) have the GSS_C_INTEG_FLAG set cannot connect. I can't test this because Kerberos-gssapi uses integrity.
This is legitimate behaviour. See the last paragraph of section 3.6, at the top of page 15:
It is a site policy descision for the server whether or not to permit authentication using GSSAPI mechanisms and/or contexts which do not support per-message integrity protection. The server MAY fail the otherwise valid gssapi-with-mic authentication if per-message integrity protection is not supported.
Note the use of the word "MAY", which means "do whatever you want". We actually expect that most server operators will want to accept gssapi-with-mic only in cases where integrity is supported, There was a fairly length discussion of this issue on the ietf-ssh list last October or so.
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
