gssapi-with-mic vs gssapi-keyex SSH authentication difference?
Greg Hudson
ghudson at mit.edu
Fri Oct 31 13:56:57 EDT 2014
On 10/31/2014 01:52 PM, Benjamin Kaduk wrote:
> gssapi-keyex is not a way for the client to authenticate to the server; it
> replaces the normal key exchange step that uses the server's
> ssh_host_{ecdsa,rsa,dsa}_keys.
If memory serves, the gssapi-keyex key exchange actually authenticates
both parties to each other. Once you have completed that, you gain
access to the gssapi-keyex userauth method, which does basically nothing
as the user is already authenticated (much like SASL EXTERNAL). The
client could still use a different userauth method to authenticate as
someone else, but it generally prefers gssapi-keyex.
More information about the Kerberos
mailing list