gssapi-with-mic vs gssapi-keyex SSH authentication difference?

[Nico Williams]

GSS key exchange alone does not authenticate the client to the server
because a binding of the GSS security context to the Diffie-Hellman or
RSA key exchange is not sent by the client, only by the server.  There
is not much point to authenticating the client at this point anyways
because GSS authentication is not enough: we need a *username* to
authorize the authenticated _principal_ to, and that comes later in
the protocol.

SSHv2 could well have been (and perhaps still could be) optimized
quite a bit.  As it is all of this takes quite a few messages: TCP
handshake, version string scream exchange, KEX (one round-trip in the
optimal case, with GSS and Kebreros), userauth (one more round-trip in
the optimal case, with gss-api-keyex).  If confidentiality protection
of the client principal and username were not important this could be
reduced by one round trip in an optimized form of the protocol.

Nico
--