New release of GSSAPI Key Exchange patch

Simon Wilkinson sxw at
Sat Jan 1 17:53:54 EST 2011

[ If you're not familiar with the GSSAPI key exchange patches, or unsure why they make OpenSSH usable in large Kerberos deployments, contains some background information ]

Regular readers of these emails will be aware that they've recently all begun with apologies for the delay in producing the patch - this has been down to a poor tool chain, and $work using systems which no longer have a need for these patches to work with the latest and greatest OpenSSH binary.

So, the major announcement here is that I've made significant changes to the way in which these patches are produced. This should hopefully both make it easier (and quicker) for me to produce them in future, and make it simpler for others who want to produce patches based upon them.

Firstly, I've created a git-cvsimport mirror of the OpenSSH portable repository at 

This is a regularly updated git repository which purely tracks the code available from

Secondly, the GSSAPI OpenSSH key exchange patches are now based on a clone of this git tree. This makes it much easier to track the patches, and to merge them into forthcoming releases. The tree with the patches in is available from 

A patch for each release will continue to be available from my website at

As well as updating the patch to OpenSSH 5.6p1, the new release also adds support for a GSSAPIServerIdentity client configuration directive. This allows the user to give the GSSAPI acceptor identity (Kerberos principal) which the server will use to accept their request. It is useful in situations such as port forwarding, where the name that must be used to reach a particular host doesn't match the name that that machine knows itself by. Thanks to Jim Basney for this code!



More information about the Kerberos mailing list