<div dir="ltr">Having also spent time with the OpenSSH port to add Fido support we should just drop the hard-to-maintain variants is my view. </div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 16, 2022 at 3:54 PM Clemens Lang <<a href="mailto:cal@macports.org">cal@macports.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, Mar 14, 2022 at 10:14:05PM +0000, grey wrote:<br>
> What do others think? Feedback is welcome! I didn't mean to harsh on<br>
> Renee in the PR comments either, but Renee was pretty up front about<br>
> not actually using the OpenSSH port, so I would mostly appreciate<br>
> perspective from individuals who do actually use the OpenSSH port and<br>
> have some "skin in the game" as the idiomatic expression goes.<br>
> <br>
> For the life of me, I can't really see much good coming from the<br>
> +gsskex/GSSAPI variant, but I also do not presently administer any<br>
> Kerberos related infrastructure at the moment (thankfully, if slightly<br>
> tangentially, I also do not administer any yp related infrastructure<br>
> these days anymore and can blissfully only recall them and their<br>
> associated security holes with ypcat abuses as distant early 1990s<br>
> memories now).<br>
<br>
As somebody who's done a few openssh Portfile updates in the past, the<br>
gsskex and hpn patches have always been a pain, and I've been in favor<br>
of dropping them before. Maybe now the time has finally come to get rid<br>
of them.<br>
<br>
I happen to have access to a few Kerberos-enabled SSH servers, and can<br>
report that the existing +kerberos5 variant is sufficient to allow<br>
connecting using an existing kerberos ticket.<br>
<br>
The only benefits provided by the gsskex patch on top of that are:<br>
- no trust on first use for the hostkey, since the server is<br>
authenticated during the kerberos exchange<br>
- credential delegation (basically SSH agent forwarding for Kerberos)<br>
I believe people used to claim a speed advantage, but I'm not sure<br>
that's a big reason anymore these days, considering ECDH is fast and<br>
widely available.<br>
<br>
Other distributions [1] seem to still be shipping the patch, but they<br>
may have more manpower to maintain it. I'll try to remember to ask the<br>
authors of RFC 8732 for their opinion on this tomorrow.<br>
<br>
Overall, I'm in favor of dropping this. A kerberos corner case used by<br>
very few people should not block us from applying security updates for<br>
the majority of the users, but that is what has happened multiple times<br>
now. Additionally, the patch does not provide a lot of additional value,<br>
IMO, since kerberos auth still works without it. If somebody wants to<br>
step up to maintain a copy of openssh with the gsskex patch, they can<br>
submit a separate Portfile.<br>
<br>
[1]: <a href="https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh.spec#_137" rel="noreferrer" target="_blank">https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh.spec#_137</a><br>
</blockquote></div>