Mark,
> 1) Users placed their unencrypted credentials into file .gss_eap_id and connected to a server using a null username '-l ""'. I assume this is a work in progress: will the openssh client be developed to avoid the need of such a file? e.g. using "-l" to pass the user/realm info and being prompted for the password.
This is a good question. I did actually have a patch to do this, however was fairly unusable because OpenSSH would then prompt separately for every available GSS mechanism. Obviously it would be possible to refactor this -- elegantly or otherwise -- so that this is not the case. Where provision of credentials interactively on the command line is desired, a more correct approach may be to support a mode where SPNEGO is the only requested mechanism.
To answer your question directly: yes, using .gss_eap_id is a work in progress. Someone else will be able to better explain how this will look in the final product, but my understanding is that you will have the option either to be prompted with native UI or to retrieve credentials stored in a database.
> 2) I didn't quite understand what the remaining man in the middle attack concern was with openssh. Assuming it was discussed on the mailing list, can someone give me the relevant phrase to search for, please?
"Mutual authentication" is probably the right phrase, if I'm thinking of the correct issue.
regards,
-- Luke
|