GSSAPI Key Exchange patches for OpenSSH 4.3p2

Simon Wilkinson simon at
Mon Mar 6 07:40:26 EST 2006

Patches supporting GSSAPI Key Exchange in OpenSSH 4.3p2 are now
available from

These patches add support for performing GSSAPI key exchange to the
OpenSSH client and server. Whilst OpenSSH contains support for using
GSSAPI in the user authentication step, this is inadequate for many
sites, as it doesn't provide a mechanism for using GSSAPI/Kerberos to
verify the server's identity to the user. Using GSSAPI key exchange uses
Kerberos to validate the servers identity, and can eliminate the need to
maintain known hosts files of server public keys across your site.

These patches also contain a number of improvements as a result of
resyncing against the Debian patch set, including:
  *) Support for the CCAPI on Darwin
  *) Support for the Security Session API on Darwin
  *) Support for not counting failures due to bad server configuration
     against the clients number of permitted authentication attempts

Thanks to Sam Hartman, Alexandra Ellwood and Harald Barth



More information about the Kerberos mailing list