Pending OpenSSH release: contains Kerberos/GSSAPI changes

Wachdorf, Daniel R drwachd at
Sat Jan 31 03:41:26 EST 2004


I have been doing some testing and I noticed a problem with the server
implementation of GSSAPI authentication within the open ssh snapshot

The draft (draft-ietf-secsh-gsskeyex-07) states:

   Since the user authentication process by its nature authenticates
   only the client, the setting of the mutual_req_flag is not needed for
   this process.  This flag SHOULD be set to "false".

The client sets this to true, not really a problem.  Our modified f-secure
client does the same thing.  However, if GSS_C_MUTUAL_FLAG is not set, then
the open ssh server rejects the connection.  The following line of code
(from gss-serv.c):

        /* Now, if we're complete and we have the right flags, then
         * we flag the user as also having been authenticated

        if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) &&
            (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE))
                if (ssh_gssapi_getclient(ctx, &gssapi_client))
                        fatal("Couldn't convert client name");

This requires the client to set GSS_C_MUTUAL, which conflicts with the


-----Original Message-----
From: Darren Tucker [mailto:dtucker at] 
Sent: Wednesday, January 21, 2004 6:46 PM
To: kerberos at; krbdev at; heimdal-discuss at
Cc: OpenSSH Devel List
Subject: Pending OpenSSH release: contains Kerberos/GSSAPI changes

(I hope this message is appropriate for these lists.  If not, please 
tell me and I won't do it again.)

Hi All.
	There will be a new release of OpenSSH in a couple of weeks.  This 
release contains Kerberos and GSSAPI related changes that we would like 
to get some feedback about (and hopefully address any issues with) 
before the release.

	I encourage anyone with an interest in Kerberos/GSSAPI support in 
OpenSSH to try a snapshot [1] and send feedback.

Changes in OpenBSD's OpenSSH and -Portable:
    - markus at 2003/11/17 11:06:07
      replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson;
      test + ok jakob.
    - jakob at 2003/12/23 16:12:10
      implement KerberosGetAFSToken server option. ok markus@, beck@
    - markus at 2003/11/02 11:01:03
      remove support for SSH_BUG_GSSAPI_BER; simon at

Changes in -Portable only
  - (dtucker) Only enable KerberosGetAFSToken if Heimdal's libkafs
    is found.  with jakob@	
  - (dtucker) [] Use krb5-config where available for
    Kerberos/GSSAPI detection, libs and includes.  ok djm@

Additionally, as a side effect of the last change, the test for libkafs 
is now independant of the Heimdal test, so should a version that works 
with MIT Kerberos be available it will be used.

All but the last are in the 20040122 snapshot, and the last will be in 
20040123 and up.

Please follow-up to the OpenSSH devel list (cc: the Kerberos lists if 
you consider it appropriate).

[1] or 
one of the mirrors listed at

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

krbdev mailing list             krbdev at

More information about the openssh-unix-dev mailing list