GSSAPI Key Exchange Patch for OpenSSH 5.3p1

Simon Wilkinson sxw at inf.ed.ac.uk
Sun Jan 24 06:55:05 EST 2010 

>From the better-late-than-never-department, I'm pleased to announce the availability of my GSSAPI Key Exchange patches for OpenSSH 5.3p1. This is a pretty minor maintenance release - it contains a couple of fixes to take into account changes to the underlying OpenSSH code, and a compilation fix for when GSSAPI isn't required. Thanks to Colin Wilson and Jim Basney for their bug reports.

I'd like to thank the distributors who've been patiently waiting for me to get this done - sorry once again for the delay.

Why?
----
Whilst OpenSSH contains support for GSSAPI user authentication, this still relies upon SSH host keys to authenticate the server to the  user. For sites with a deployed Kerberos infrastructure this adds an additional, unnecessary, key management burden. GSSAPI key exchange allows the use of security mechanisms such as Kerberos to authenticate the server to the user, removing the need for trusted ssh host keys, and allowing the use of a single security architecture.

How?
----
This patch adds support for the RFC4462 GSSAPI key exchange mechanisms to OpenSSH, along with adding some additional, generic, GSSAPI features. It implements:

*) gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-* key exchange mechanisms. (#1242)
*) Support for the null host key type (#1242)
*) Support for CCAPI credentials caches on Mac OS X (#1245)
*) Support for better error handling when an authentication exchange fails due to server misconfiguration (#1244)
*) Support for GSSAPI connections to hosts behind a round-robin load balancer (#1008)
*) Support for GSSAPI connections to multi-homed hosts, where each interface has a unique name (#928)
*) Support for cascading credentials renewal
*) Support for the GSSAPIClientIdentity option, to allow the user to select which client identity to use when authenticating to a server.

(bugzilla.mindrot.org bug numbers are in brackets)

Where?
------
As usual, the code is available from 
http://www.sxw.org.uk/computing/patches/openssh.html

Two patches are available, one containing cascading credentials support, and one without. In addition, the quilt patch series that makes up this release is also provided, for those who wish to pick and choose!

Cheers,

Simon.

More information about the Kerberos mailing list