SSHv2 with GSSAPI authentication from Windows to Unix

Douglas E. Engert deengert at anl.gov
Thu Oct 10 16:54:38 EDT 2002 

The IETF is working on standardizing the use of GSSAPI for authentication
with the SSHv2 protocol. This will allow the use of MIT Kerberos and/or Globus GSI
GSSAPI to authenticate.  

As a user of all of this, I am sending this note.
 
The latest version of the VanDyke SecureCRT 4.0 for Windows, now
supports the GSSAPI secsh extensions with SSHv2. The equivalent 
SSHD server mods are implemented by Simon Wilkinson's GSSAPI patches to 
OpenSSH-3.4p1

SecureCRT can use a gssapi32.dll for GSSAPI support.  I have tested it with 
the MIT gssapi32.dll from krb5-1.2.6 as well as the Globus GSI gsspai32.dll 
from GSI-1.1.3. SecureCRT can also use the Microsoft SSPI.

VanDyke has not fully announced this feature, for reasons as listed below, but
I wanted to make others aware of this, as SecureCRT is a fine terminal emulator,
and the addition of the GSSAPI for authentication fits well into many environments. 

(To be fair, I should point out Kermit, and SecureNet are implementing 
similar features. And there may be other products I am not aware of.) 

Previous version of SecureCRT supported a gssapi with sshv1 and it still works. They
also required a gsigss32.dll. This is no longer required. They can now use the MIT 
gssapi32.dll directly. 

But the GSSAPI features in SecureCRT 4.0 are currently not enabled be default, and
require some editing by hand. 

To enable the GSSAPI feature, edit the SSH2.ini file which is in a location like:    
C:\Documents and Settings\<user>\Application Data\VanDyke\SecureCRT\Config\SSH2.ini
file and add this line:
D:"Enable GSSAPI Authentication"=00000001

After this is added, The Connect Connection->authentication option of GSSAPI will be one
of the options for primary or secondary authentication with SSHv2.

By default the gssapi32.dll is used for the GSSAPI support, but you can use
the built in Microsoft SSPI on Windows 2000 by editing selected session files:

C:\Documents and Settings\<user>\Application Data\VanDyke\SecureCRT\Config\Sessions\
Change :
S:"GSSAPI Method"=gssapi
to 
S:"GSSAPI Method"=gss-ms-kerberos

(This has the potential of an all vendor environment with no additional software.)

The SecureFX SFTP product can also use the GSSAPI. Contact support at vandyke.com for this.

Since this is using the GSSAPI, it also works with Globus GSI as well!


Personally I would like to thank all the people at VanDyke for following through on this 
integration of the IETF draft standards into their fine product which I use every day! I 
would like to encourage them to continue, and add the GSSAPI as a fully integrated and
documented feature. 


support at vandyke.com wrote:

> 
> None of this is really "private".  Anyone you know that is
> interested in GSSAPI/Kerberos support can contact us; we
> don't have any specific problems with you giving the information
> out either, however, you may want to direct people through
> support at vandyke.com, since that way you won't get nailed with
> their questions ;-)
> 
> The biggest resaons this isn't exposes yet in any of our products
> is that we don't feel like most folks see it as a "prime-time"
> feature yet.  For those who need it, the functionality can be
> enabled, but for most users at this point is is simply "noise".
> As I type this, development is having a meeting on where to go
> with this exposure, and after a few small changes on our side,
> I suspect you'll see this fully exposed in the UI.
> 
> We'll keep you informed.
> 
> Thank You,
> 
> ~Jaime C. Jordan
> support at vandyke.com

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list