Re: DSA-1571 and GSSAPI
Juha Jäykkä <juhaj@iki.fi> writes:
> However, ever since we started using Heimdal, we have used GSSAPI
> authentication by default, which, to my understanding, does not rely on
> SSH host or user keys, but bases all its crypto on Kerberos. Does this
> mean data transmitted over GSSAPI-authenticated links is still secure?
> (Not that it matters much - there is no way of making sure the default
> (GSSAPI) was *always* used when transmitting sensitive data.
If you were using MIT Kerberos, you would be fine so far as I can tell
since MIT Kerberos has its own crypto layer and its own randomness
functions. However, Heimdal uses OpenSSL as its crypto layer. I have not
yet confirmed whether that includes using it for the generation of random
session keys, but that would be the conservative assumption. Given that,
it may well be possible to brute-force the session key of any captured
GSSAPI-encrypted traffic and decrypt it retroactively.
If you're using Heimdal, you should also change all long-term random keys
(such as any key in generated keytab files) that were generated using the
vulnerable version of OpenSSL. Keys based on user passwords should be
fine.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: