GSSAPI Key Exchange Patch for OpenSSH 4.7p1

Simon Wilkinson sxw at inf.ed.ac.uk
Thu Sep 27 17:33:49 EDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I'm pleased to (finally) announce the availability of my GSSAPI Key  
Exchange patch for OpenSSH 4.7p1. Whilst OpenSSH contains support for  
doing GSSAPI user authentication, this only allows the underlying  
security mechanism to authenticate the user to the server, and  
continues to use SSH host keys to authenticate the server to the  
user. For many sites who already have security infrastructures such  
as Kerberos deployed, managing large numbers of SSH host keys is an  
additional, unneccessary, burden. GSSAPI key exchange allows the use  
of security mechanisms such as Kerberos to authenticate the server to  
the user, removing the need for trusted ssh host keys, and allowing  
the use of a single security architecture.

This patch adds support for the RFC4462 GSSAPI key exchange  
mechanisms to OpenSSH, along with adding some additional features to  
the GSSAPI code that is already in the tree.

The patch implements:
   *) gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-* key  
exchange mechanisms. (#1242)
   *) Support for the null host key type (#1242)
   *) Support for CCAPI credentials caches on Mac OS X (#1245)
   *) Support for better error handling when an authentication  
exchange fails due to server misconfiguration (#1244)
   *) Support for GSSAPI connections to hosts behind a round-robin  
load balancer (#1008)
   *) Support for GSSAPI connections to multi-homed hosts, where each  
interface has a unique name (#928)

(bugzilla.mindrot.org bug numbers are in brackets)

There are no code changes since the previous release.

As usual, the code is available from
http://www.sxw.org.uk/computing/patches/openssh.html

I'm also interesting in hearing from people who might be interested  
in testing some new cascading credentials delegation code. When you  
renew your Kerberos credentials on the client, this code will  
automatically propagate these renewed credentials to the server,  
allowing the seamless renewal of credentials across ssh sessions  
distributed across many different machines. If you have an interest  
in testing this code in a non-production environment, please let me  
know!

Cheers,

Simon.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFG/CG9qWndc26pXmcRAikbAKDLw84hjqy2Z4dF6/H4ZmK6/gY4XwCffEWm
FQleDwIuPJI8sJQ/I9SSRDo=
=RJHh
-----END PGP SIGNATURE-----



More information about the Kerberos mailing list