gssapi-with-mic vs gssapi-keyex SSH authentication difference?
Benjamin Kaduk
kaduk at MIT.EDU
Fri Oct 31 13:52:09 EDT 2014
On Fri, 31 Oct 2014, Rufe Glick wrote:
> Hello,
>
> I have Kerberos infrastructure set up and GSSAPI enabled in
> ssh_config/sshd_config of the SSH client/server (GSSAPIAuthentication
> yes). When I connect to the SSH server using verbose mode I see that SSH
> client uses 'gssapi-with-mic' mode to authenticate itself. Then if I
> additionally enable 'GSSAPIKeyExchange yes' setting the SSH client
> prefers the 'gssapi-keyex' method to authenticate itself.
>
> The questions are what does happen under the hood of both of these
> methods (in simple terms, please)? And what is the essential difference?
> Also what kind of keys do they exchange when 'gssapi-keyex' auth method
> is in use?
gssapi-keyex is not a way for the client to authenticate to the server; it
replaces the normal key exchange step that uses the server's
ssh_host_{ecdsa,rsa,dsa}_keys. GSSAPIKeyExchange is a way to avoid the
"leap of faith" initial prompt when sshing to a remote host for the first
time. (That is, "The authenticity of host 'blah' can't be established.
RSA key fingerprint is [hex]. Are you sure you want to continue
connecting (yes/no)?".)
GSSAPIAuthentication is a way for the client to authenticate to the
server; it replaces user ssh keys (e.g., ~/.ssh/id_rsa) and passwords.
-Ben Kaduk
More information about the Kerberos
mailing list