GSSAPI Key Exchange Patch for OpenSSH 4.7p1
Douglas E. Engert
deengert at anl.gov
Fri Sep 28 17:26:14 EDT 2007
Sounds interesting. And yes, I would be interested in
the cascading credentials delegation code. Does the
delegation code depend on the key exchange code?
What would it take to get both of these in to PuTTY?
Simon Wilkinson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I'm pleased to (finally) announce the availability of my GSSAPI Key
> Exchange patch for OpenSSH 4.7p1. Whilst OpenSSH contains support for
> doing GSSAPI user authentication, this only allows the underlying
> security mechanism to authenticate the user to the server, and
> continues to use SSH host keys to authenticate the server to the
> user. For many sites who already have security infrastructures such
> as Kerberos deployed, managing large numbers of SSH host keys is an
> additional, unneccessary, burden. GSSAPI key exchange allows the use
> of security mechanisms such as Kerberos to authenticate the server to
> the user, removing the need for trusted ssh host keys, and allowing
> the use of a single security architecture.
>
> This patch adds support for the RFC4462 GSSAPI key exchange
> mechanisms to OpenSSH, along with adding some additional features to
> the GSSAPI code that is already in the tree.
>
> The patch implements:
> *) gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-* key
> exchange mechanisms. (#1242)
> *) Support for the null host key type (#1242)
> *) Support for CCAPI credentials caches on Mac OS X (#1245)
> *) Support for better error handling when an authentication
> exchange fails due to server misconfiguration (#1244)
> *) Support for GSSAPI connections to hosts behind a round-robin
> load balancer (#1008)
> *) Support for GSSAPI connections to multi-homed hosts, where each
> interface has a unique name (#928)
>
> (bugzilla.mindrot.org bug numbers are in brackets)
>
> There are no code changes since the previous release.
>
> As usual, the code is available from
> http://www.sxw.org.uk/computing/patches/openssh.html
>
> I'm also interesting in hearing from people who might be interested
> in testing some new cascading credentials delegation code. When you
> renew your Kerberos credentials on the client, this code will
> automatically propagate these renewed credentials to the server,
> allowing the seamless renewal of credentials across ssh sessions
> distributed across many different machines. If you have an interest
> in testing this code in a non-production environment, please let me
> know!
>
> Cheers,
>
> Simon.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (Darwin)
>
> iD8DBQFG/CG9qWndc26pXmcRAikbAKDLw84hjqy2Z4dF6/H4ZmK6/gY4XwCffEWm
> FQleDwIuPJI8sJQ/I9SSRDo=
> =RJHh
> -----END PGP SIGNATURE-----
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list