Some GSSAPI/Kerberos Questions

sxw at inf.ed.ac.uk sxw at inf.ed.ac.uk
Tue Feb 10 10:24:44 EST 2004


On Mon, 9 Feb 2004, Phil Dibowitz wrote:

> But, erm, the announcement says, "This release contains some GSSAPI
> user authentication support to replace legacy KerberosV authentication
> support. At present this code is still considered experimental and
> SHOULD NOT BE USED."

The code drop of GSSAPI support into OpenSSH coincided with major 
revisions to the Internet-Draft on which it was based. These revisions 
were to address concerns about the lack of linking between the 
GSSAPI context and OpenSSH's session identifiers. These concerns 
applied equally to the Kerberos V code which was in early versions of 
OpenSSH. The GSSAPI code in 3.7.1 is based on the pre-revision protocol. 
CVS has an implementation of the newest I-D, which overcomes 
these issues.

It should be noted that implementations based on the earlier I-Ds are 
_not_ compatible with those using the newest ones. If you can wait, wait 
for the 3.7.2 codebase.

> For those who have used the GSSAPI stuf in 3.7.1 - have you found it
> stable?

I've been distributing patches implementing GSSAPI support for several 
years now, and they're fairly widely deployed. Unfortunately I don't 
believe they can be considered 'stable' until the I-D upon which they're 
based makes it through to an RFC.

If you want to try out the code in 3.7.1 (and I'd really recommend waiting
for 3.7.2 for production use), you need to turn on 'GSSAPIAuthentication'
in both the client and the server.

Cheers,

Simon.




More information about the openssh-unix-dev mailing list