Pending OpenSSH release: contains Kerberos/GSSAPI changes

Darren Tucker dtucker at
Thu Jan 22 12:46:01 EST 2004

(I hope this message is appropriate for these lists.  If not, please 
tell me and I won't do it again.)

Hi All.
	There will be a new release of OpenSSH in a couple of weeks.  This 
release contains Kerberos and GSSAPI related changes that we would like 
to get some feedback about (and hopefully address any issues with) 
before the release.

	I encourage anyone with an interest in Kerberos/GSSAPI support in 
OpenSSH to try a snapshot [1] and send feedback.

Changes in OpenBSD's OpenSSH and -Portable:
    - markus at 2003/11/17 11:06:07
      replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson;
      test + ok jakob.
    - jakob at 2003/12/23 16:12:10
      implement KerberosGetAFSToken server option. ok markus@, beck@
    - markus at 2003/11/02 11:01:03
      remove support for SSH_BUG_GSSAPI_BER; simon at

Changes in -Portable only
  - (dtucker) Only enable KerberosGetAFSToken if Heimdal's libkafs
    is found.  with jakob@	
  - (dtucker) [] Use krb5-config where available for
    Kerberos/GSSAPI detection, libs and includes.  ok djm@

Additionally, as a side effect of the last change, the test for libkafs 
is now independant of the Heimdal test, so should a version that works 
with MIT Kerberos be available it will be used.

All but the last are in the 20040122 snapshot, and the last will be in 
20040123 and up.

Please follow-up to the OpenSSH devel list (cc: the Kerberos lists if 
you consider it appropriate).

[1] or 
one of the mirrors listed at

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list