GSSAPI Key Exchange Patch for OpenSSH 4.7p1

Henry B. Hotz hotz at jpl.nasa.gov
Mon Oct 1 04:08:55 EDT 2007 

That does sound interesting.  Count me in.

On Sep 28, 2007, at 2:26 PM, Douglas E. Engert wrote:

> Sounds interesting. And yes,  I would be interested in
> the cascading credentials delegation code. Does the
> delegation code depend on the key exchange code?
>
> What would it take to get both of these in to PuTTY?
>
>
> Simon Wilkinson wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> Hi,
>> I'm pleased to (finally) announce the availability of my GSSAPI  
>> Key  Exchange patch for OpenSSH 4.7p1. Whilst OpenSSH contains  
>> support for  doing GSSAPI user authentication, this only allows  
>> the underlying  security mechanism to authenticate the user to the  
>> server, and  continues to use SSH host keys to authenticate the  
>> server to the  user. For many sites who already have security  
>> infrastructures such  as Kerberos deployed, managing large numbers  
>> of SSH host keys is an  additional, unneccessary, burden. GSSAPI  
>> key exchange allows the use  of security mechanisms such as  
>> Kerberos to authenticate the server to  the user, removing the  
>> need for trusted ssh host keys, and allowing  the use of a single  
>> security architecture.
>> This patch adds support for the RFC4462 GSSAPI key exchange   
>> mechanisms to OpenSSH, along with adding some additional features  
>> to  the GSSAPI code that is already in the tree.
>> The patch implements:
>>    *) gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-*  
>> key  exchange mechanisms. (#1242)
>>    *) Support for the null host key type (#1242)
>>    *) Support for CCAPI credentials caches on Mac OS X (#1245)
>>    *) Support for better error handling when an authentication   
>> exchange fails due to server misconfiguration (#1244)
>>    *) Support for GSSAPI connections to hosts behind a round- 
>> robin  load balancer (#1008)
>>    *) Support for GSSAPI connections to multi-homed hosts, where  
>> each  interface has a unique name (#928)
>> (bugzilla.mindrot.org bug numbers are in brackets)
>> There are no code changes since the previous release.
>> As usual, the code is available from
>> http://www.sxw.org.uk/computing/patches/openssh.html
>> I'm also interesting in hearing from people who might be  
>> interested  in testing some new cascading credentials delegation  
>> code. When you  renew your Kerberos credentials on the client,  
>> this code will  automatically propagate these renewed credentials  
>> to the server,  allowing the seamless renewal of credentials  
>> across ssh sessions  distributed across many different machines.  
>> If you have an interest  in testing this code in a non-production  
>> environment, please let me  know!
>> Cheers,
>> Simon.
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the Kerberos mailing list