GSSAPI Key Exchange Patch for OpenSSH 5.2p1

Simon Wilkinson sxw at
Sun Jul 26 22:45:03 EST 2009

Somewhat belatedly, I'm pleased to announce the availability of my  
GSSAPI key exchange patches for OpenSSH 5.2p1. Apologies for the delay  
in getting these out, a honeymoon, followed by the pressure of work,  
made the first half of this year rather busy!

Whilst OpenSSH contains support for GSSAPI user authentication, this  
still relies upon SSH host keys to authenticate the server to the  
user. For sites with a deployed Kerberos infrastructure this adds an  
additional, unnecessary, key management burden. GSSAPI key exchange  
allows the use of security mechanisms such as Kerberos to authenticate  
the server to the user, removing the need for trusted ssh host keys,  
and allowing the use of a single security architecture.

This patch adds support for the RFC4462 GSSAPI key exchange mechanisms  
to OpenSSH, along with adding some additional, generic, GSSAPI  
features. It implements
*) gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-* key   
exchange mechanisms. (#1242)
*) Support for the null host key type (#1242)
*) Support for CCAPI credentials caches on Mac OS X (#1245)
*) Support for better error handling when an authentication exchange  
fails due to server misconfiguration (#1244)
*) Support for GSSAPI connections to hosts behind a round-robin  load  
balancer (#1008)
*) Support for GSSAPI connections to multi-homed hosts, where each  
interface has a unique name (#928)
*) Support for cascading credentials renewal

( bug numbers are in brackets)

Since the last release

Greg Hudson, of the Kerberos Consortium, kindly performed a code  
review of this patch at the beginning of the year. This release  
addresses a number of minor issues he identified. In addition a new  
option "GSSAPIClientIdentity" is implemented. This allows the user to  
set which GSSAPI identity should be used to contact a particular host  
- it will only work on systems whose Kerberos libraries support the  
concept of multiple identities (such as Mac OS X). Cascading  
credentials renewal is now supported as part of the main patch.

As usual, the code is available from

Two patches are available, one containing cascading credentials  
support, and one without. In addition, the quilt patch series that  
makes up this release is also provided, for those who wish to pick and  

Sorry once again for the delay, and thanks to all those who have been  
patiently waiting (and nagging) for me to get this out.



More information about the openssh-unix-dev mailing list