New GSSAPI Key Exchange patch for OpenSSH 4.2p1

Simon Wilkinson simon at
Tue Sep 27 04:28:46 EST 2005


This is to announce the availability of a new version of my GSSAPI key
exchange patch for OpenSSH.

The code is available from

Changes since the last release are:

   *) Implement GSS group exchange
   *) Disable DNS canonicalization of the hostname passed to the GSSAPI
      library - an option is provided to allow this to be overriden on a
      host by host basis.
   *) Fix the crash when connecting to a server which supports sending a
      hostkey as part of the GSSAPI key exchange.
   *) Make GSS rekeying work when privsep is enabled
   *) Fix incorrect naming of keyex userauth mechanism
   *) Fix client crash when doing key exchange with expired credentials
   *) Assorted buffer initialization fixes

Why Key Exchange?

Whilst OpenSSH contains support for doing GSSAPI user authentication,
this only allows the underlying security mechanism to authenticate the
user to the server, and continues to use SSH host keys to authenticate
the server to the user. For many sites who already have security
infrastructures such as Kerberos deployed, managing large numbers of SSH
host keys is an additional, unneccessary, burden. GSSAPI key exchange
allows the use of security mechanisms such as Kerberos to authenticate
the server to the user, removing the need for trusted ssh host keys, and
allowing the use of a single security architecture.



More information about the openssh-unix-dev mailing list