GSSAPI Key Exchange Patch for OpenSSH 4.7p1

Henry B. Hotz hotz at
Mon Oct 1 18:08:55 EST 2007

That does sound interesting.  Count me in.

On Sep 28, 2007, at 2:26 PM, Douglas E. Engert wrote:

> Sounds interesting. And yes,  I would be interested in
> the cascading credentials delegation code. Does the
> delegation code depend on the key exchange code?
> What would it take to get both of these in to PuTTY?
> Simon Wilkinson wrote:
>> Hash: SHA1
>> Hi,
>> I'm pleased to (finally) announce the availability of my GSSAPI  
>> Key  Exchange patch for OpenSSH 4.7p1. Whilst OpenSSH contains  
>> support for  doing GSSAPI user authentication, this only allows  
>> the underlying  security mechanism to authenticate the user to the  
>> server, and  continues to use SSH host keys to authenticate the  
>> server to the  user. For many sites who already have security  
>> infrastructures such  as Kerberos deployed, managing large numbers  
>> of SSH host keys is an  additional, unneccessary, burden. GSSAPI  
>> key exchange allows the use  of security mechanisms such as  
>> Kerberos to authenticate the server to  the user, removing the  
>> need for trusted ssh host keys, and allowing  the use of a single  
>> security architecture.
>> This patch adds support for the RFC4462 GSSAPI key exchange   
>> mechanisms to OpenSSH, along with adding some additional features  
>> to  the GSSAPI code that is already in the tree.
>> The patch implements:
>>    *) gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-*  
>> key  exchange mechanisms. (#1242)
>>    *) Support for the null host key type (#1242)
>>    *) Support for CCAPI credentials caches on Mac OS X (#1245)
>>    *) Support for better error handling when an authentication   
>> exchange fails due to server misconfiguration (#1244)
>>    *) Support for GSSAPI connections to hosts behind a round- 
>> robin  load balancer (#1008)
>>    *) Support for GSSAPI connections to multi-homed hosts, where  
>> each  interface has a unique name (#928)
>> ( bug numbers are in brackets)
>> There are no code changes since the previous release.
>> As usual, the code is available from
>> I'm also interesting in hearing from people who might be  
>> interested  in testing some new cascading credentials delegation  
>> code. When you  renew your Kerberos credentials on the client,  
>> this code will  automatically propagate these renewed credentials  
>> to the server,  allowing the seamless renewal of credentials  
>> across ssh sessions  distributed across many different machines.  
>> If you have an interest  in testing this code in a non-production  
>> environment, please let me  know!
>> Cheers,
>> Simon.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the openssh-unix-dev mailing list