gssapi-with-mic vs gssapi-keyex SSH authentication difference?
Tomas Kuthan
tomas.kuthan at oracle.com
Fri Oct 31 14:04:56 EDT 2014
On 10/31/14 18:38, Rufe Glick wrote:
> Hello,
>
> I have Kerberos infrastructure set up and GSSAPI enabled in ssh_config/sshd_config of the SSH client/server (GSSAPIAuthentication yes). When I connect to the SSH server using verbose mode I see that SSH client uses 'gssapi-with-mic' mode to authenticate itself. Then if I additionally enable 'GSSAPIKeyExchange yes' setting the SSH client prefers the 'gssapi-keyex' method to authenticate itself.
>
> The questions are what does happen under the hood of both of these methods (in simple terms, please)? And what is the essential difference? Also what kind of keys do they exchange when 'gssapi-keyex' auth method is in use?
>
> --
> Best regards,
> Rufe
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
Hi Rufe,
first step of establishing ssh connection is establishing Transport
Layer. In this step the server is authenticated and keys are exchanged,
that are used to provide integrity and confidentiality. User
authentication is then performed over this secure channel.
There are several Key Exchange Methods, one of which is
GSS-API-Authenticated Diffie-Hellman Key Exchange.
'gssapi-keyex' and 'gssapi-with-mics' are two examples of user
authentication methods. The fundamental difference is, that
'gssapi-keyex' authentication can only be used when the key exchange
earlier was GSS-API-Authenticated Diffie-Hellman Key Exchange and it
reuses the context from the key exchange.
For more information please refer to RFC 4462
Tomas
More information about the Kerberos
mailing list