GSSAPI Key Exchange Patch for OpenSSH 5.0p1 (plus an added extra)

Simon Wilkinson sxw at inf.ed.ac.uk
Fri Apr 4 10:03:49 EDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It's that time again! There's been another OpenSSH release, and once  
again, I'm pleased to announce the availability of my GSSAPI Key  
Exchange patch for it.

Whilst OpenSSH contains support for GSSAPI user authentication, this  
still relies upon SSH host keys to authenticate the server to the  
user. For sites with a deployed Kerberos infrastructure this adds an  
additional, unnecessary, key management burden. GSSAPI key exchange  
allows the use of security mechanisms such as Kerberos to  
authenticate the server to the user, removing the need for trusted  
ssh host keys, and allowing the use of a single security architecture.

This patch adds support for the RFC4462 GSSAPI key exchange  
mechanisms to OpenSSH, along with adding some additional, generic,  
GSSAPI features. It implements
  *) gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-* key   
exchange mechanisms. (#1242)
  *) Support for the null host key type (#1242)
  *) Support for CCAPI credentials caches on Mac OS X (#1245)
  *) Support for better error handling when an authentication  
exchange fails due to server misconfiguration (#1244)
  *) Support for GSSAPI connections to hosts behind a round-robin   
load balancer (#1008)
  *) Support for GSSAPI connections to multi-homed hosts, where each   
interface has a unique name (#928)

(bugzilla.mindrot.org bug numbers are in brackets)

This release fixes a problem where the GSSAPIStrictAcceptorCheck  
option was always enabled.

As usual, the code is available from http://www.sxw.org.uk/computing/ 
patches/openssh.html

In addition, with this release I'm pleased to be able to announce an  
additional patch which implements cascading credential support. This  
allows credentials provided via key exchange to be cascaded through a  
set of ssh connections, so that a once a user reauthenticates on  
their workstation, the new credentials are available on all machines  
to which they are currently connected. This is controlled via the new  
options GSSAPIRenewalForcesReKey and GSSAPIStoreCredentialsOnRekey. A  
pam stack, 'sshd-rekey' may be defined to trigger renewal of  
additional credentials, such as X509 certificates or AFS tokens, when  
credentials are renewed on a particular machine. Cascading credential  
support is implemented using the standard ssh protocol.

The cascading credentials patch is also available from the above  
website. Whilst it has been extensively tested, it has received less  
peer-review than the rest of the GSSAPI code. Reports of both  
success, and failure, would be greatly appreciated! If anyone would  
like to provide face-to-face feedback, I will be at the AFS &  
Kerberos Best Practices Workshop in May.

Cheers,

Simon.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFH9jVFqWndc26pXmcRApOeAJkB7I5oCCJweGs3UeNuxpk0i9s0iACgrNav
hAN00rDs+VdjeL1NF5HzxgI=
=yH5d
-----END PGP SIGNATURE-----



More information about the Kerberos mailing list