gssapi-with-mic vs gssapi-keyex SSH authentication difference?

Greg Hudson ghudson at mit.edu
Fri Oct 31 13:56:57 EDT 2014


On 10/31/2014 01:52 PM, Benjamin Kaduk wrote:
> gssapi-keyex is not a way for the client to authenticate to the server; it
> replaces the normal key exchange step that uses the server's
> ssh_host_{ecdsa,rsa,dsa}_keys.

If memory serves, the gssapi-keyex key exchange actually authenticates
both parties to each other.  Once you have completed that, you gain
access to the gssapi-keyex userauth method, which does basically nothing
as the user is already authenticated (much like SASL EXTERNAL).  The
client could still use a different userauth method to authenticate as
someone else, but it generally prefers gssapi-keyex.


More information about the Kerberos mailing list