Kerberos v5 and GSSAPI support in OpenSSH

Simon Wilkinson sxw at dcs.ed.ac.uk
Wed Mar 21 05:15:51 EST 2001


An updated version of my patch for Kerberos v5 support is now available
from
http://www.sxw.org.uk/computing/patches/openssh-2.5.2p1-krb5.patch

This patch includes updated Kerberos v5 support for protocol version 1,
and also adds GSSAPI support for protocol version 2.

Unlike the Kerberos v5 code (which will still not interoperate with
ssh.com clients and servers), the GSSAPI support is based on two I-Ds
draft-galb-secsh-gssapi-01.txt and draft-ietf-secsh-gsskeyex-01.txt.
It adds two different points of authentication - the gsskeyex draft
uses GSSAPI at the key exchange level, and removes the requirement to
have hostkeys when it is used as the exchange mechanism. The first
draft adds GSSAPI at the userauthentication level. Both support
credential forwarding.

I've implemented support for the Kerberos v5 GSSAPI mechanism - it should
be trivial to add additional mechanisms. The GSSAPI code has not been
tested under Heimdal (the Kerberos v5 code has, and should work).

Sorry for this being one huge patch - I had originally tried to seperate
these out in two (GSSAPI in one, and Kerberos v5 in the other), but there
were too many conflicts when combining them together.
If people would like to see a patch implementing just one of these things let 
me know, and I'll have another go.

Cheers,

Simon.





More information about the openssh-unix-dev mailing list