Kerberos v5 and GSSAPI support in OpenSSH

Damien Miller djm at
Wed Mar 21 09:26:08 EST 2001

On Tue, 20 Mar 2001, Simon Wilkinson wrote:

> An updated version of my patch for Kerberos v5 support is now available
> from
> This patch includes updated Kerberos v5 support for protocol version 1,
> and also adds GSSAPI support for protocol version 2.

I don't know enough about the Kerberos API to review this patch myself,
so I defer to the list to review the patch.

> Unlike the Kerberos v5 code (which will still not interoperate with
> clients and servers), the GSSAPI support is based on two I-Ds
> draft-galb-secsh-gssapi-01.txt and draft-ietf-secsh-gsskeyex-01.txt.
> It adds two different points of authentication - the gsskeyex draft
> uses GSSAPI at the key exchange level, and removes the requirement to
> have hostkeys when it is used as the exchange mechanism. The first
> draft adds GSSAPI at the userauthentication level. Both support
> credential forwarding.

On what documentation did you base the krb5 support? You should write an
internet-draft on how you did it.

There seems to be two gssapi drafts, the Galbraith one and a Saloway one
which has been brought into the wg. How do they differ?


| Damien Miller <djm at> \ ``E-mail attachments are the poor man's
|          /   distributed filesystem'' - Dan Geer

More information about the openssh-unix-dev mailing list