Pending OpenSSH release: contains Kerberos/GSSAPI changes
Wachdorf, Daniel R
drwachd at sandia.gov
Fri Jan 30 11:41:26 EST 2004
I have been doing some testing and I noticed a problem with the server
implementation of GSSAPI authentication within the open ssh snapshot
The draft (draft-ietf-secsh-gsskeyex-07) states:
Since the user authentication process by its nature authenticates
only the client, the setting of the mutual_req_flag is not needed for
this process. This flag SHOULD be set to "false".
The client sets this to true, not really a problem. Our modified f-secure
client does the same thing. However, if GSS_C_MUTUAL_FLAG is not set, then
the open ssh server rejects the connection. The following line of code
/* Now, if we're complete and we have the right flags, then
* we flag the user as also having been authenticated
if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) &&
(*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE))
if (ssh_gssapi_getclient(ctx, &gssapi_client))
fatal("Couldn't convert client name");
This requires the client to set GSS_C_MUTUAL, which conflicts with the
From: Darren Tucker [mailto:dtucker at zip.com.au]
Sent: Wednesday, January 21, 2004 6:46 PM
To: kerberos at mit.edu; krbdev at mit.edu; heimdal-discuss at sics.se
Cc: OpenSSH Devel List
Subject: Pending OpenSSH release: contains Kerberos/GSSAPI changes
(I hope this message is appropriate for these lists. If not, please
tell me and I won't do it again.)
There will be a new release of OpenSSH in a couple of weeks. This
release contains Kerberos and GSSAPI related changes that we would like
to get some feedback about (and hopefully address any issues with)
before the release.
I encourage anyone with an interest in Kerberos/GSSAPI support in
OpenSSH to try a snapshot  and send feedback.
Changes in OpenBSD's OpenSSH and -Portable:
- markus at cvs.openbsd.org 2003/11/17 11:06:07
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson;
test + ok jakob.
- jakob at cvs.openbsd.org 2003/12/23 16:12:10
implement KerberosGetAFSToken server option. ok markus@, beck@
- markus at cvs.openbsd.org 2003/11/02 11:01:03
remove support for SSH_BUG_GSSAPI_BER; simon at sxw.org.uk
Changes in -Portable only
- (dtucker) Only enable KerberosGetAFSToken if Heimdal's libkafs
is found. with jakob@
- (dtucker) [configure.ac] Use krb5-config where available for
Kerberos/GSSAPI detection, libs and includes. ok djm@
Additionally, as a side effect of the last change, the test for libkafs
is now independant of the Heimdal test, so should a version that works
with MIT Kerberos be available it will be used.
All but the last are in the 20040122 snapshot, and the last will be in
20040123 and up.
Please follow-up to the OpenSSH devel list (cc: the Kerberos lists if
you consider it appropriate).
 ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ or
one of the mirrors listed at http://openssh.com/portable.html#mirrors
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
krbdev mailing list krbdev at mit.edu
More information about the krbdev