krb5 support

Dug Song dugsong at
Fri Dec 3 04:06:51 EST 1999

On Thu, 2 Dec 1999, Mike Fisk wrote:

> As far as I can tell, GSS-API has no mechanism for negotiating supported
> authentication types.  It is purely a way for clients and servers to
> interface with authentication libraries and pass credentials across the
> wire. 

GSS-API doesn't have one per se, but there has been at least one proposed
negotiation mechanism on top of it - see RFC 2478 for details.

> It seems to be mainly used as a way to include Kerberos support.

this is probably because only Kerberos people have implemented it (MIT
krb5, KTH heimdal). but again, there have been proposals to use public key
GSS-API mechanisms - see RFC 2025 (SPKM).

i think GSS-API has been slow to catch on for the following reasons:

	1. unwieldy interface, somewhat over-engineered

	2. lack of freely available independent implementations
	   (MIT and KTH's are both tied to their Kerberos distributions)

	3. SSL (SSLeay/OpenSSL in particular) is so much easier for
	   people to understand and code to - no middleware, just
	   some initialization and then read()/write() API replacements

still, with important protocols like NFSv4 relying on the deployment of
GSS-API (e.g. RPCSEC_GSS), i'm sure it will mature and gain acceptance
over time.



More information about the openssh-unix-dev mailing list