Kerberos v5 and GSSAPI support in OpenSSH
Damien Miller
djm at mindrot.org
Wed Mar 21 09:26:08 EST 2001
On Tue, 20 Mar 2001, Simon Wilkinson wrote:
> An updated version of my patch for Kerberos v5 support is now available
> from
> http://www.sxw.org.uk/computing/patches/openssh-2.5.2p1-krb5.patch
>
> This patch includes updated Kerberos v5 support for protocol version 1,
> and also adds GSSAPI support for protocol version 2.
I don't know enough about the Kerberos API to review this patch myself,
so I defer to the list to review the patch.
> Unlike the Kerberos v5 code (which will still not interoperate with
> ssh.com clients and servers), the GSSAPI support is based on two I-Ds
> draft-galb-secsh-gssapi-01.txt and draft-ietf-secsh-gsskeyex-01.txt.
> It adds two different points of authentication - the gsskeyex draft
> uses GSSAPI at the key exchange level, and removes the requirement to
> have hostkeys when it is used as the exchange mechanism. The first
> draft adds GSSAPI at the userauthentication level. Both support
> credential forwarding.
On what documentation did you base the krb5 support? You should write an
internet-draft on how you did it.
There seems to be two gssapi drafts, the Galbraith one and a Saloway one
which has been brought into the wg. How do they differ?
-d
--
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org / distributed filesystem'' - Dan Geer
More information about the openssh-unix-dev
mailing list