Kerberos v5 and GSSAPI support in OpenSSH

Simon Wilkinson sxw at
Wed Mar 21 11:05:55 EST 2001

On Tuesday 20 March 2001 22:26, Damien Miller wrote:
> On what documentation did you base the krb5 support? You should write an
> internet-draft on how you did it.

The Kerberos V protocol 1 patch is based on work done by Daniel Kouril - I 
took his Heimdal patch for an older version of OpenSSH (2.1.0), and updated 
it to  the current OpenSSH release, and added MIT Kerberos support. More 
details on this are on my original message about the Kerberos V patch, and at

I've been persuaded that its worth splitting the protocol 1 and protocol 2 
patches up. I intend doing so shortly.

> There seems to be two gssapi drafts, the Galbraith one and a Saloway one
> which has been brought into the wg. How do they differ?

The Galbraith, van Dyke and Welch draft defines an extension which performs 
GSSAPI authentication as part of the user authentication process. This uses a 
somewhat more complicated exchange than the other draft.

The Hutzelman & Salowey draft defines a new key exchange technique which uses 
GSSAPI to secure the key exchange. This removes the need for servers to have 
a host key, but can cause problems if the GSSAPI exchange fails (especially 
if it happens during key renegotiation)

I've implemented both of these, and there is a lot of code reuse between the 


Simon Wilkinson            <simon at>
"The universal aptitude for ineptitude makes any human accomplishment an
incredible miracle." - Col. John P. Stapp 

More information about the openssh-unix-dev mailing list