Kerberos v5 and GSSAPI support in OpenSSH
Simon Wilkinson
sxw at dcs.ed.ac.uk
Wed Mar 21 11:05:55 EST 2001
On Tuesday 20 March 2001 22:26, Damien Miller wrote:
> On what documentation did you base the krb5 support? You should write an
> internet-draft on how you did it.
The Kerberos V protocol 1 patch is based on work done by Daniel Kouril - I
took his Heimdal patch for an older version of OpenSSH (2.1.0), and updated
it to the current OpenSSH release, and added MIT Kerberos support. More
details on this are on my original message about the Kerberos V patch, and at
http://www.ics.muni.cz/scb/devel/
I've been persuaded that its worth splitting the protocol 1 and protocol 2
patches up. I intend doing so shortly.
> There seems to be two gssapi drafts, the Galbraith one and a Saloway one
> which has been brought into the wg. How do they differ?
The Galbraith, van Dyke and Welch draft defines an extension which performs
GSSAPI authentication as part of the user authentication process. This uses a
somewhat more complicated exchange than the other draft.
The Hutzelman & Salowey draft defines a new key exchange technique which uses
GSSAPI to secure the key exchange. This removes the need for servers to have
a host key, but can cause problems if the GSSAPI exchange fails (especially
if it happens during key renegotiation)
I've implemented both of these, and there is a lot of code reuse between the
two.
Cheers,
Simon.
--
Simon Wilkinson <simon at sxw.org.uk> http://www.sxw.org.uk
"The universal aptitude for ineptitude makes any human accomplishment an
incredible miracle." - Col. John P. Stapp
More information about the openssh-unix-dev
mailing list