So, I think the new patch is a good thing for the current world; I'll
apply when I next touch that code.
IN the broader sense, I don't want there to be a GSS-API mechanism that
is vulnerable to integrity negotiation bid-down attacks. That is, if an
attacker without keys can transform messages and turn an authentication
that would have integrity into one without integrity, I think we have a
huge problem.
I don't think server policy is an adequate answer to that.
I understand I need to sell kitten on my belief.
My personal opinion is that if we do end up with such mechanisms,
openssh should only accept no-integrity mechanisms known not to suffer
from that defect. saml-ec is not such a mechanism today because it
never supports integrity. We need to be careful adding integrity if we
want to avoid turning it into such a mechanism. (Using a different OID
is not good enough unless that's protected).
|